Public bug reported: [Availability] The package gpgmepp is already in Ubuntu universe. The package gpgmepp build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/gpgmepp
[Rationale] - The package gpgmepp is required in Ubuntu main as it is a dependency of poppler, which is in main. This dependency used to be satisified by src:gpgme1.0, which is in main. But the required binary packages were split into this new source package. gpgme1.0 itself is too old to have had an MIR. - This is the first time this new source package will be in main but its binary packages was previously in main through src:gpgme1.0. - All binary packages built by gpgmepp need to be in main for poppler. - The package gpgmepp is required in Ubuntu main no later than Mar 23 due to beta freeze. [Security] - No CVEs/security issues in this software in the past There are two past CVEs for gpgme1.0 but they are 10+ years old and seem unrelated to this binary. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Package is a wrapper library for GPGME, so it could be considered an extension of security-sensitive software. [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/gpgmepp/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=gpgmepp - Also adding the bug trackers for gpgme1.0 here but they are not concerning: + Ubuntu https://bugs.launchpad.net/ubuntu/+source/gpgme1.0/+bug + Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=gpgme1.0 - Upstream's bug tracker (shared with gpgme1.0): https://dev.gnupg.org/maniphest/ - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] Unfortunately, there is essentially no testing available for this package either during build or as autopkgtests. This is not ideal, but the package only ships development headers and is otherwise fairly minimal, so the chances of a simple regression are fairly low. Furthermore, when the binaries shipped by this package were in main it was not explicitly tested either. While gpgme1.0 does provide build-time and autopkgtests, none of them interacted with the contents that have now been split into this package. Either way, the Debcrafters team is willing to provide further support for regressions caused by gpgmepp in lieu of other testing options. In the future, we will look into adding tests ourselves if necessary. [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and works - debian/control defines a correct Maintainer field - Lintian overrides are present, but ok because they only disable shipping symbols files and are well justified within the override - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/gpgmepp/tree/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - Used check-mir from ubuntu-dev-tools to validate all dependencies or recommends are in main. - There are further dependencies that are not yet in main (libgpgmepp7 is part of the same source package), the MIR process for them is handled as part of this bug here. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be Debcrafters and I have their acknowledgment for that commitment - The future owning team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive, link to builds for all arches: https://launchpad.net/ubuntu/+source/gpgmepp/2.0.0-2 - This change will not impact other teams [Background information] The Package description explains the package well Upstream Name is gpgmepp Link to upstream project: https://gnupg.org/software/gpgme/ As stated elsewhere in the bug, the binaries shipped by this source package used to be shipped by the gpgme1.0 package, which is already in main. The new package ships a new version of the libgpgmepp binary, which is required for poppler in main, so this is essentially a re- promotion of a package which otherwise would have been a simple update. ** Affects: gpgmepp (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142863 Title: [MIR] gpgmepp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gpgmepp/+bug/2142863/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
