** Description changed: [Availability] The package libavif is already in Ubuntu universe. The package libavif builds for the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, i386, ppc64el, riscv64, s390x Link to package: https://launchpad.net/ubuntu/+source/libavif [Rationale] - The package libavif is required in Ubuntu main for providing AVIF image format support to python3-pil - The package libavif will not generally be useful for a large part of our user base, but is important/helpful still because python3-pil (pillow), which is already in main and widely used, depends on it for AVIF image format support - The package libavif is a new runtime dependency of package python3-pil that we already support - The binary package libavif16 needs to be in main to achieve the above. All other binary packages built by libavif (libavif-dev, libavif-bin, libavif-gdk-pixbuf) should remain in universe - There is no other/better way to solve this that is already in main or should go universe->main instead of this - This is the first time the package will be in main - The package libavif is required in Ubuntu main no later than the 26.04 LTS release in order to drop the Ubuntu delta in pillow and enable AVIF image support, which is available upstream but currently disabled due to libavif being in universe [Security] - Had 6 security issues in the past: - https://ubuntu.com/security/cve?package=libavif - https://security-tracker.debian.org/tracker/source-package/libavif - CVE-2025-48175, CVE-2025-48174 (Medium, integer overflows) were fixed in upstream 1.3.0, which is the version currently in Resolute - CVE-2023-6704, CVE-2023-6351, CVE-2023-6350 (use-after-free) were resolved - CVE-2020-36407 (out-of-bounds write) was resolved - Issues were handled promptly in Debian and upstream - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Packages does not open privileged ports (ports < 1024) - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...) [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/libavif - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libavif (1 open Debian bug of normal severity) - Upstream https://github.com/AOMediaCodec/libavif/issues The package has 133 open upstream issues (mostly feature requests, no critical bugs). Upstream is actively resolving them with issues closed as recently as this week - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package runs a test suite on build time, if it fails it makes the build fail, link to build log: * amd64: https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * amd64v3: https://launchpadlibrarian.net/852070440/buildlog_ubuntu-resolute-amd64v3.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * arm64: https://launchpadlibrarian.net/852071406/buildlog_ubuntu-resolute-arm64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * armhf: https://launchpadlibrarian.net/852128607/buildlog_ubuntu-resolute-armhf.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * i386: https://launchpadlibrarian.net/852070301/buildlog_ubuntu-resolute-i386.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * ppc64el: https://launchpadlibrarian.net/852072107/buildlog_ubuntu-resolute-ppc64el.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * riscv64: https://launchpadlibrarian.net/852079574/buildlog_ubuntu-resolute-riscv64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz * s390x: https://launchpadlibrarian.net/852128608/buildlog_ubuntu-resolute-s390x.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - The package runs an autopkgtest, and is currently passing on the - following architectures, links to test logs: TBD + following architectures, links to test logs: + * amd64: + https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/amd64/liba/libavif/20260318_115807_7bcc2@/log.gz + * arm64: + https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/arm64/liba/libavif/20260318_113949_d77db@/log.gz + * i386: + https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/i386/liba/libavif/20260318_113352_1feff@/log.gz + * ppc64el: + https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/ppc64el/liba/libavif/20260318_112026_8cdf4@/log.gz - - The package does have not failing autopkgtests right now + - The package does not have failing autopkgtests right now [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package - https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz + https://launchpadlibrarian.net/852070441/buildlog_ubuntu-resolute-amd64.libavif_1.3.0-1ubuntu4_BUILDING.txt.gz - Please attach the full output you have got from - `lintian --pedantic` as an extra post to this bug: + `lintian --pedantic` as an extra post to this bug: ``` lintian --pedantic libavif_1.3.0-1ubuntu4.dsc P: libavif source: maintainer-manual-page [debian/avifdec.1] P: libavif source: maintainer-manual-page [debian/avifenc.1] P: libavif source: redundant-rules-requires-root-no-field [debian/control:27] P: libavif source: source-contains-prebuilt-java-object [android_jni/gradle/wrapper/gradle-wrapper.jar] P: libavif source: trailing-whitespace [debian/changelog:302] ``` - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages - This package has no python2 or GTK2 dependencies - The package will not be installed by default - Packaging is complex, but that is ok because the build requires managing multiple codec backends with per-architecture availability (libgav1), conditional man page generation depending on both nodoc build option and architecture (pandoc unavailable on some arches with fallback to prebuilt pages), and stripping of an embedded libyuv copy in favour of the system library. These complexities are well-documented in debian/rules. Link to debian/rules: https://git.launchpad.net/ubuntu/+source/libavif/tree/debian/rules [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - Used check-mir from ubuntu-dev-tools to validate all dependencies or recommends are in main. [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be ~debcrafters-packages and I have their acknowledgment for that commitment - The future owning team is already subscribed to the package - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/libavif/1.3.0-1ubuntu4 - This change will not impact other teams [Background information] The Package description explains the package well Upstream Name is libavif Link to upstream project: https://github.com/AOMediaCodec/libavif [Original bug description] The pillow package in Debian started using it in https://tracker.debian.org/news/1641134/accepted-pillow-1121-1-source- into-experimental/ Leading to this proposed migration entry for Ubuntu python3-pil/amd64 in main cannot depend on libavif16 in universe We reverted the Build-Depends for now but might want to promote libavif instead. Trying to install in a minimal env gives those universe packages Get:3 http://archive.ubuntu.com/ubuntu questing/universe amd64 libdav1d7 amd64 1.5.1-1 [743 kB] Get:4 http://archive.ubuntu.com/ubuntu questing/universe amd64 libgav1-1 amd64 0.19.0-3build1 [380 kB] Get:5 http://archive.ubuntu.com/ubuntu questing/universe amd64 librav1e0.7 amd64 0.7.1-9 [1025 kB] Get:6 http://archive.ubuntu.com/ubuntu questing/universe amd64 libsvtav1enc2 amd64 2.3.0+dfsg-1 [2686 kB] Get:10 http://archive.ubuntu.com/ubuntu questing/universe amd64 libavif16 amd64 1.3.0-1ubuntu1 [124 kB] Which suggests we would need to also MIR svt-av1 , rust-rav1e and dav1d
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2130005 Title: [MIR] libavif To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libavif/+bug/2130005/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
