** Description changed: + [Availability] + The package libavif is already in Ubuntu universe. + The package libavif builds for the architectures it is designed to + work on. + It currently builds and works for architectures: amd64, amd64v3, + arm64, armhf, i386, ppc64el, riscv64, s390x + Link to package: https://launchpad.net/ubuntu/+source/libavif + + [Rationale] + - The package libavif is required in Ubuntu main for providing AVIF + image format support to python3-pil + - The package libavif will not generally be useful for a large part of + our user base, but is important/helpful still because python3-pil + (pillow), which is already in main and widely used, depends on it + for AVIF image format support + - The package libavif is a new runtime dependency of package + python3-pil that we already support + - The binary package libavif16 needs to be in main to achieve the + above. All other binary packages built by libavif (libavif-dev, + libavif-bin, libavif-gdk-pixbuf) should remain in universe + - There is no other/better way to solve this that is already in main + or should go universe->main instead of this + - This is the first time the package will be in main + - The package libavif is required in Ubuntu main no later than the + 26.04 LTS release in order to drop the Ubuntu delta in pillow and + enable AVIF image support, which is available upstream but currently + disabled due to libavif being in universe + + [Security] + - Had 6 security issues in the past: + - https://ubuntu.com/security/cve?package=libavif + - https://security-tracker.debian.org/tracker/source-package/libavif + - CVE-2025-48175, CVE-2025-48174 (Medium, integer overflows) were + fixed in upstream 1.3.0, which is the version currently in + Resolute + - CVE-2023-6704, CVE-2023-6351, CVE-2023-6350 (use-after-free) were + resolved + - CVE-2020-36407 (out-of-bounds write) was resolved + - Issues were handled promptly in Debian and upstream + + - no `suid` or `sgid` binaries + - no executables in `/sbin` and `/usr/sbin` + - Package does not install services, timers or recurring jobs + - Packages does not open privileged ports (ports < 1024) + - Package does not expose any external endpoints + - Packages does not contain extensions to security-sensitive software + (filters, scanners, plugins, UI skins, ...) + + [Quality assurance - function/usage] + - The package works well right after install + + [Quality assurance - maintenance] + - The package is maintained well in Debian/Ubuntu/Upstream and does + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libavif + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libavif + (1 open Debian bug of normal severity) + - Upstream https://github.com/AOMediaCodec/libavif/issues + The package has 133 open upstream issues (mostly feature requests, + no critical bugs). Upstream is actively resolving them with issues + closed as recently as this week + - The package does not deal with exotic hardware we cannot support + + [Quality assurance - testing] + - The package runs a test suite on build time, if it fails it makes + the build fail, link to build log: + * amd64: + https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * amd64v3: + https://launchpadlibrarian.net/852070440/buildlog_ubuntu-resolute-amd64v3.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * arm64: + https://launchpadlibrarian.net/852071406/buildlog_ubuntu-resolute-arm64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * armhf: + https://launchpadlibrarian.net/852128607/buildlog_ubuntu-resolute-armhf.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * i386: + https://launchpadlibrarian.net/852070301/buildlog_ubuntu-resolute-i386.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * ppc64el: + https://launchpadlibrarian.net/852072107/buildlog_ubuntu-resolute-ppc64el.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * riscv64: + https://launchpadlibrarian.net/852079574/buildlog_ubuntu-resolute-riscv64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * s390x: + https://launchpadlibrarian.net/852128608/buildlog_ubuntu-resolute-s390x.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + + - The package runs an autopkgtest, and is currently passing on the + following architectures, links to test logs: TBD + + - The package does have not failing autopkgtests right now + + [Quality assurance - packaging] + - A mechanism to detect and fetch new upstream versions is present and + works + - debian/control defines a correct Maintainer field + - Lintian overrides are not present + ``` + lintian --pedantic libavif_1.3.0-1ubuntu4.dsc + P: libavif source: maintainer-manual-page [debian/avifdec.1] + P: libavif source: maintainer-manual-page [debian/avifenc.1] + P: libavif source: redundant-rules-requires-root-no-field [debian/control:27] + P: libavif source: source-contains-prebuilt-java-object [android_jni/gradle/wrapper/gradle-wrapper.jar] + P: libavif source: trailing-whitespace [debian/changelog:302] + ``` + + - This package does not rely on obsolete or about to be demoted + packages + - This package has no python2 or GTK2 dependencies + - The package will not be installed by default + + - Packaging is complex, but that is ok because the build requires + managing multiple codec backends with per-architecture availability + (libgav1), conditional man page generation depending on both nodoc + build option and architecture (pandoc unavailable on some arches + with fallback to prebuilt pages), and stripping of an embedded + libyuv copy in favour of the system library. These complexities are + well-documented in debian/rules. Link to debian/rules: + https://git.launchpad.net/ubuntu/+source/libavif/tree/debian/rules + + [UI standards] + - Application is not end-user facing (does not need translation) + + [Dependencies] + - Used check-mir from ubuntu-dev-tools to validate all dependencies + or recommends are in main. + + [Standards compliance] + - This package correctly follows FHS and Debian Policy + + [Maintenance/Owner] + - The owning team will be ~debcrafters-packages and I have their + acknowledgment for that commitment + - The future owning team is already subscribed to the package + + - This does not use static builds + - This does not use vendored code + - This package is not rust based + + - The package has been built within the last 3 months in the archive + - Build link on launchpad: + https://launchpad.net/ubuntu/+source/libavif/1.3.0-1ubuntu4 + + - This change will not impact other teams + + [Background information] + The Package description explains the package well + Upstream Name is libavif + Link to upstream project: https://github.com/AOMediaCodec/libavif + + [Original bug description] + The pillow package in Debian started using it in https://tracker.debian.org/news/1641134/accepted-pillow-1121-1-source- into-experimental/ Leading to this proposed migration entry for Ubuntu python3-pil/amd64 in main cannot depend on libavif16 in universe We reverted the Build-Depends for now but might want to promote libavif instead. Trying to install in a minimal env gives those universe packages Get:3 http://archive.ubuntu.com/ubuntu questing/universe amd64 libdav1d7 amd64 1.5.1-1 [743 kB] Get:4 http://archive.ubuntu.com/ubuntu questing/universe amd64 libgav1-1 amd64 0.19.0-3build1 [380 kB] Get:5 http://archive.ubuntu.com/ubuntu questing/universe amd64 librav1e0.7 amd64 0.7.1-9 [1025 kB] Get:6 http://archive.ubuntu.com/ubuntu questing/universe amd64 libsvtav1enc2 amd64 2.3.0+dfsg-1 [2686 kB] Get:10 http://archive.ubuntu.com/ubuntu questing/universe amd64 libavif16 amd64 1.3.0-1ubuntu1 [124 kB] - Which suggests we would need to also MIR svt-av1 , rust-rav1e and dav1d
** Summary changed: - [MIR] libavif? + [MIR] libavif ** Description changed: [Availability] The package libavif is already in Ubuntu universe. The package libavif builds for the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, i386, ppc64el, riscv64, s390x Link to package: https://launchpad.net/ubuntu/+source/libavif [Rationale] - The package libavif is required in Ubuntu main for providing AVIF - image format support to python3-pil + image format support to python3-pil - The package libavif will not generally be useful for a large part of - our user base, but is important/helpful still because python3-pil - (pillow), which is already in main and widely used, depends on it - for AVIF image format support + our user base, but is important/helpful still because python3-pil + (pillow), which is already in main and widely used, depends on it + for AVIF image format support - The package libavif is a new runtime dependency of package - python3-pil that we already support + python3-pil that we already support - The binary package libavif16 needs to be in main to achieve the - above. All other binary packages built by libavif (libavif-dev, - libavif-bin, libavif-gdk-pixbuf) should remain in universe + above. All other binary packages built by libavif (libavif-dev, + libavif-bin, libavif-gdk-pixbuf) should remain in universe - There is no other/better way to solve this that is already in main - or should go universe->main instead of this + or should go universe->main instead of this - This is the first time the package will be in main - The package libavif is required in Ubuntu main no later than the - 26.04 LTS release in order to drop the Ubuntu delta in pillow and - enable AVIF image support, which is available upstream but currently - disabled due to libavif being in universe + 26.04 LTS release in order to drop the Ubuntu delta in pillow and + enable AVIF image support, which is available upstream but currently + disabled due to libavif being in universe [Security] - Had 6 security issues in the past: - - https://ubuntu.com/security/cve?package=libavif - - https://security-tracker.debian.org/tracker/source-package/libavif - - CVE-2025-48175, CVE-2025-48174 (Medium, integer overflows) were - fixed in upstream 1.3.0, which is the version currently in - Resolute - - CVE-2023-6704, CVE-2023-6351, CVE-2023-6350 (use-after-free) were - resolved - - CVE-2020-36407 (out-of-bounds write) was resolved - - Issues were handled promptly in Debian and upstream + - https://ubuntu.com/security/cve?package=libavif + - https://security-tracker.debian.org/tracker/source-package/libavif + - CVE-2025-48175, CVE-2025-48174 (Medium, integer overflows) were + fixed in upstream 1.3.0, which is the version currently in + Resolute + - CVE-2023-6704, CVE-2023-6351, CVE-2023-6350 (use-after-free) were + resolved + - CVE-2020-36407 (out-of-bounds write) was resolved + - Issues were handled promptly in Debian and upstream - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software - (filters, scanners, plugins, UI skins, ...) + (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does - not have too many, long-term & critical, open bugs - - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libavif - - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libavif - (1 open Debian bug of normal severity) - - Upstream https://github.com/AOMediaCodec/libavif/issues - The package has 133 open upstream issues (mostly feature requests, - no critical bugs). Upstream is actively resolving them with issues - closed as recently as this week + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libavif + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libavif + (1 open Debian bug of normal severity) + - Upstream https://github.com/AOMediaCodec/libavif/issues + The package has 133 open upstream issues (mostly feature requests, + no critical bugs). Upstream is actively resolving them with issues + closed as recently as this week - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes - the build fail, link to build log: - * amd64: - https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * amd64v3: - https://launchpadlibrarian.net/852070440/buildlog_ubuntu-resolute-amd64v3.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * arm64: - https://launchpadlibrarian.net/852071406/buildlog_ubuntu-resolute-arm64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * armhf: - https://launchpadlibrarian.net/852128607/buildlog_ubuntu-resolute-armhf.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * i386: - https://launchpadlibrarian.net/852070301/buildlog_ubuntu-resolute-i386.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * ppc64el: - https://launchpadlibrarian.net/852072107/buildlog_ubuntu-resolute-ppc64el.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * riscv64: - https://launchpadlibrarian.net/852079574/buildlog_ubuntu-resolute-riscv64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - * s390x: - https://launchpadlibrarian.net/852128608/buildlog_ubuntu-resolute-s390x.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + the build fail, link to build log: + * amd64: + https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * amd64v3: + https://launchpadlibrarian.net/852070440/buildlog_ubuntu-resolute-amd64v3.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * arm64: + https://launchpadlibrarian.net/852071406/buildlog_ubuntu-resolute-arm64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * armhf: + https://launchpadlibrarian.net/852128607/buildlog_ubuntu-resolute-armhf.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * i386: + https://launchpadlibrarian.net/852070301/buildlog_ubuntu-resolute-i386.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * ppc64el: + https://launchpadlibrarian.net/852072107/buildlog_ubuntu-resolute-ppc64el.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * riscv64: + https://launchpadlibrarian.net/852079574/buildlog_ubuntu-resolute-riscv64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + * s390x: + https://launchpadlibrarian.net/852128608/buildlog_ubuntu-resolute-s390x.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - The package runs an autopkgtest, and is currently passing on the - following architectures, links to test logs: TBD + following architectures, links to test logs: TBD - The package does have not failing autopkgtests right now [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and - works + works - debian/control defines a correct Maintainer field + - This package does not yield massive lintian Warnings, Errors + - Please link to a recent build log of the package + https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + - Please attach the full output you have got from + `lintian --pedantic` as an extra post to this bug: + ``` + lintian --pedantic libavif_1.3.0-1ubuntu4.dsc + P: libavif source: maintainer-manual-page [debian/avifdec.1] + P: libavif source: maintainer-manual-page [debian/avifenc.1] + P: libavif source: redundant-rules-requires-root-no-field [debian/control:27] + P: libavif source: source-contains-prebuilt-java-object [android_jni/gradle/wrapper/gradle-wrapper.jar] + P: libavif source: trailing-whitespace [debian/changelog:302] + ``` - Lintian overrides are not present - ``` - lintian --pedantic libavif_1.3.0-1ubuntu4.dsc - P: libavif source: maintainer-manual-page [debian/avifdec.1] - P: libavif source: maintainer-manual-page [debian/avifenc.1] - P: libavif source: redundant-rules-requires-root-no-field [debian/control:27] - P: libavif source: source-contains-prebuilt-java-object [android_jni/gradle/wrapper/gradle-wrapper.jar] - P: libavif source: trailing-whitespace [debian/changelog:302] - ``` - This package does not rely on obsolete or about to be demoted - packages + packages - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging is complex, but that is ok because the build requires - managing multiple codec backends with per-architecture availability - (libgav1), conditional man page generation depending on both nodoc - build option and architecture (pandoc unavailable on some arches - with fallback to prebuilt pages), and stripping of an embedded - libyuv copy in favour of the system library. These complexities are - well-documented in debian/rules. Link to debian/rules: - https://git.launchpad.net/ubuntu/+source/libavif/tree/debian/rules + managing multiple codec backends with per-architecture availability + (libgav1), conditional man page generation depending on both nodoc + build option and architecture (pandoc unavailable on some arches + with fallback to prebuilt pages), and stripping of an embedded + libyuv copy in favour of the system library. These complexities are + well-documented in debian/rules. Link to debian/rules: + https://git.launchpad.net/ubuntu/+source/libavif/tree/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - Used check-mir from ubuntu-dev-tools to validate all dependencies - or recommends are in main. + or recommends are in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be ~debcrafters-packages and I have their - acknowledgment for that commitment + acknowledgment for that commitment - The future owning team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: - https://launchpad.net/ubuntu/+source/libavif/1.3.0-1ubuntu4 + https://launchpad.net/ubuntu/+source/libavif/1.3.0-1ubuntu4 - This change will not impact other teams [Background information] The Package description explains the package well Upstream Name is libavif Link to upstream project: https://github.com/AOMediaCodec/libavif [Original bug description] The pillow package in Debian started using it in https://tracker.debian.org/news/1641134/accepted-pillow-1121-1-source- into-experimental/ Leading to this proposed migration entry for Ubuntu python3-pil/amd64 in main cannot depend on libavif16 in universe We reverted the Build-Depends for now but might want to promote libavif instead. Trying to install in a minimal env gives those universe packages Get:3 http://archive.ubuntu.com/ubuntu questing/universe amd64 libdav1d7 amd64 1.5.1-1 [743 kB] Get:4 http://archive.ubuntu.com/ubuntu questing/universe amd64 libgav1-1 amd64 0.19.0-3build1 [380 kB] Get:5 http://archive.ubuntu.com/ubuntu questing/universe amd64 librav1e0.7 amd64 0.7.1-9 [1025 kB] Get:6 http://archive.ubuntu.com/ubuntu questing/universe amd64 libsvtav1enc2 amd64 2.3.0+dfsg-1 [2686 kB] Get:10 http://archive.ubuntu.com/ubuntu questing/universe amd64 libavif16 amd64 1.3.0-1ubuntu1 [124 kB] Which suggests we would need to also MIR svt-av1 , rust-rav1e and dav1d -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2130005 Title: [MIR] libavif To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libavif/+bug/2130005/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
