Public bug reported: [Availability] The package uwsgi is already in Ubuntu universe. The package uwsgi builds for the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, ppc64el, riscv64, s390x Link to package: https://launchpad.net/ubuntu/+source/uwsgi
[Rationale] - The package uwsgi is required in Ubuntu main as a runtime dependency for OpenStack services (keystone, nova, neutron, glance, cinder, placement, ...) which are dropping mod_wsgi+apache2 in favour of uwsgi-native deployment. Those service packages are already in main; promoting uwsgi closes the gap. - The package is useful to a large part of the server user base (OpenStack consumers, plus general Python/PSGI/Rack web-app hosting). - No better alternative already in main: mod_wsgi is being removed by upstream OpenStack, and gunicorn/mod_proxy_uwsgi do not cover the full Emperor/process-management/protocol surface OpenStack relies on. - This is the first time src:uwsgi will be in main. - Binary packages needed in main: uwsgi-core, uwsgi, uwsgi-emperor. All other binaries built by src:uwsgi (uwsgi-dev, uwsgi-src, uwsgi-extra, uwsgi-plugin-*) remain in universe. - Required no later than the 26.10 release so OpenStack 2026.2 can ship with a supported uwsgi-native deployment path. [Security] - 5 historical CVEs (as of 2026-04-21): CVE-2018-6758 and CVE-2018-7490 fixed upstream and in Debian/Ubuntu; CVE-2020-11984, CVE-2021-36160 and CVE-2024-24795 are Apache httpd mod_proxy_uwsgi issues, not affecting current Ubuntu uwsgi (the apache module moved to src:apache2 after 2.0.15-11). - Ubuntu tracker: https://ubuntu.com/security/cves?package=uwsgi - Debian tracker: https://security-tracker.debian.org/tracker/source-package/uwsgi - No suid/sgid binaries; no executables in /sbin or /usr/sbin. - Ships init.d scripts and systemd units for uwsgi and uwsgi-emperor (debian/uwsgi*.init.d, debian/uwsgi-emperor.service, debian/uwsgi-files/systemd/uwsgi-app@.{service,socket}). No timers. - Privilege isolation: defaults run as www-data, Unix sockets under /run/uwsgi with mode 660; per-app systemd template uses DynamicUser=yes; uwsgi supports uid/gid drop and libcap-backed capability control. - Hardening gap to flag: systemd units do not set NoNewPrivileges=, PrivateTmp=, ProtectSystem=, ProtectHome=, RestrictAddressFamilies= or CapabilityBoundingSet=. No AppArmor profile shipped. Worth a follow-up. - No privileged ports opened by default. No external endpoints by default (Unix sockets only). No filters/scanners/PAM modules or UI skins; only uwsgi's own plugin model. - TLS/SSL: SSLv2/SSLv3/TLSv1 disabled by default in core/ssl.c; opt-in options to re-enable SSLv3/TLSv1 still exist (ssl-enable-sslv3, ssl-enable-tlsv1). TLSv1.1 not explicitly disabled — relies on system crypto policy. Cipher names are admin-configurable in plugins/logcrypto and core/legion.c (no weak default). [Quality assurance - function/usage] - The package works well right after install. [Quality assurance - maintenance] - Maintained well in Debian (Debian unstable: 2.0.31-4; uploads 2.0.28-9 through 2.0.31-4 between Mar 2025 and Mar 2026; 0 RC bugs). Upstream continues 2.0.x maintenance releases but has ~780 open issues / ~90 PRs — distribution-level confidence rests on Debian packaging activity rather than upstream triage speed. - Ubuntu bugs: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bugs (6 open as of 2026-04-21, all Undecided) - Debian: https://tracker.debian.org/pkg/uwsgi - Upstream: https://github.com/unbit/uwsgi/issues - No exotic hardware requirements. [Quality assurance - testing] - Build-time: debian/rules override_dh_auto_test runs shellcheck on maintainer scripts, init scripts, and uwsgi init helpers; failures fail the build. - Autopkgtest passing on resolute amd64/arm64/armhf/ppc64el/s390x for 2.0.31-2 (2026-04-15/16). Results: https://autopkgtest.ubuntu.com/packages/u/uwsgi/resolute/ - Test is non-trivial: debian/tests/integration runs t/runner (10 unittest classes) against /usr/bin/uwsgi — launches a local server, verifies TCP readiness, makes HTTP requests via python3-requests, exercises the CGI plugin. - No failing autopkgtests; no special hardware required. OpenStack service-level integration tests provide additional coverage at the use-case level. [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and works. - debian/control defines a correct Maintainer field but will need to be updated once an Ubuntu delta is applied. - This package does not yield massive lintian Warnings or Errors. - Recent build log: https://launchpad.net/ubuntu/+source/uwsgi/2.0.31-2 - Lintian overrides are present, but ok because: - debian/source/lintian-overrides: dep5 license-paragraph references (Debian #786450), debian/patches/0* pattern, py distutils/pipes fallbacks in upstream plugin scripts. - debian/uwsgi-core.lintian-overrides: shared-library-lacks-prerequisites for plugin .so files; doc-base for test data. - debian/uwsgi.lintian-overrides: missing-systemd-service-for-init.d-script (covered by uwsgi-app@ template units, Debian #1039408). - debian/uwsgi-src.lintian-overrides: documentation-outside-usr-share-doc (uwsgi-src ships the extracted tarball by design). - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies. - The package will not be installed by default. - Packaging and build is moderately complex but well-structured. The source package builds eight binary packages (uwsgi, uwsgi-core, uwsgi-dev, uwsgi-emperor, uwsgi-extra, uwsgi-src) plus a set of per-plugin binaries (uwsgi-plugin-alarm-curl, uwsgi-plugin-alarm-xmpp, uwsgi-plugin-curl-cron, uwsgi-plugin-emperor-pg, uwsgi-plugin-geoip, uwsgi-plugin-graylog2, uwsgi-plugin-ldap, uwsgi-plugin-router-access, uwsgi-plugin-sqlite3, uwsgi-plugin-xslt). [UI standards] - Application is not end-user facing (does not need translation). [Dependencies] - In-scope for main: uwsgi-core, uwsgi, uwsgi-emperor. All other binaries from this source stay in universe. - Build-Depends in universe (allowed per MIR rules): help2man, libgeoip-dev, libgloox-dev, libzmq5-dev/libzmq3-dev, shellcheck. - Runtime finding: uwsgi-core ships emperor_zeromq, logzmq and mongrel2 plugins which link -lzmq, so ${shlibs:Depends} pulls libzmq5 (universe) into uwsgi-core. Libzmq5 was previously approved for an MIR but never promoted. This will be looked into and resubmitted if need be. - Companion MIRs required: uwsgi-plugin-python3 is needed. WIP, will be linked here once filed. https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1597439 [Standards compliance] - This package correctly follows FHS and Debian Policy. [Maintenance/Owner] - The owning team will be ~ubuntu-openstack and I have their acknowledgment for that commitment. - The future owning team is not yet subscribed, but will subscribe to the package before promotion. - This does not use static builds; uwsgi is a C application linked dynamically via ${shlibs:Depends}. - This does not use vendored code: no vendor/, no Cargo.lock, no go.sum. (Upstream t/go/ files are test fixtures; plugins/gccgo is excluded via UWSGI_SRCPLUGINS_ALIEN.) - Refreshing instructions therefore do not apply. - debian/copyright therefore does not need to cover vendored content. - This package is not rust based. - The package has been built within the last 3 months in the archive. - Build link on Launchpad: https://launchpad.net/ubuntu/+source/uwsgi/2.0.31-2 This change will impact other teams and they are/will be made aware: - Ubuntu Server (nginx/apache2 front-ends, AppArmor) - Ubuntu OpenStack (consumer driving the migration) - Ubuntu Security (SSL/TLS posture, systemd hardening follow-ups) - src:uwsgi-plugin-python maintainers (companion MIR) [Background information] - The package description explains the package well. - Upstream name: uwsgi - Link to upstream project: https://github.com/unbit/uwsgi ** Affects: uwsgi (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2151202 Title: [MIR] uwsgi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/2151202/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
