[Bug 1934510] Re: [MIR] fuse3 as a dependency of qemu 6.0 and GNOME apps

Christian Ehrhardt  1934510 at bugs.launchpad.net
Tue Feb 1 15:07:30 UTC 2022 

Interim update:
- s390x-tools was confirmed by fheimes to have a fix before feature freeze
  - actually the fix exists already, but a new release containing it will be tagged
- grub2: still waiting, I pinged bug 1935659
- qemu: will switch to libfuse3-3 with the coming upload of 6.2 soon
- open-vm-tools will switch to fuse3 (again, since it was reverted for bug 1956949) in an upload soon

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fuse3 in Ubuntu.
https://bugs.launchpad.net/bugs/1934510

Title:
  [MIR] fuse3 as a dependency of qemu 6.0 and GNOME apps

Status in fuse3 package in Ubuntu:
  Fix Released

Bug description:
  Please promote the following binary packages built from src:fuse3 to
  main:

    - libfuse3-3
    - libfuse3-dev

  [Availability]

  The inclusion of fuse3 in Ubuntu is fairly recent, first being
  imported in Focal as a sync from Debian, however its predecessor
  src:fuse from the same upstream (libfuse [1]) has been packaged in
  Debian since 2002, it's already in main and has been in Ubuntu
  forever.

  The upstream project is "the reference implementation of the Linux
  FUSE (Filesystem in Userspace) interface" [1] , and can be fully
  trusted to keep maintaining the package in the foreseeable future.

  fuse3 is currently a sync from Debian in Focal, Groovy, Hirsute and
  Impish.

  [Rationale]

  QEMU 6.0 added support for FUSE block exports, which allow mounting
  the guest view of any QEMU block device node as a host file. Debian
  enabled this feature in src:qemu 1:6.0+dfsg-1~exp0 [3], currently in
  experimental, by adding a new build-dep on libfuse3-dev [4]. We want
  to bring this support to Ubuntu when merging qemu 6.0 from Debian, and
  therefore we need to MIR bin:libfuse3-dev and its runtime counterpart
  bin:libfuse3-3.

  [Security]

  The package is a library and won't add daemons, setuid binaries, or
  anything requiring authentication. (This is contrast with the
  bin:fuse3 package which ships a setuid binary, but which is not part
  of this MIR.)

  The upstream README.md at [1] has a "Security implications" section
  which only deals with fuse3, no warning is raised regarding the
  library.

  Given the popularity of the project we can assume that Linus' law
  applies [5].

  [Quality assurance]

  There are 0 open bugs in Ubuntu against src:fuse3.

  In Debian there are a few bugs against bin:fuse3, including a Serious
  (=> RC) bug, currently tagged "bullseye-ignore", but considered valid.
  The bin:fuse3 package is not part of this MIR. (It is likely that
  we'll want to also MIR bin:fuse3 at some point, and I considered doing
  so as part of this MIR, but it is more sensible to wait for that RC
  bug to be fixed before proceeding.)

  There are no noteworthy Debian bugs against src:fuse3 or any bin:
  package part of this MIR.

  [Dependencies]

  libfuse3-3: libc6 [ok]
  libfuse3-dev: libfuse3-3, libselinux-dev [ok]
  fuse3: libc6, libfuse3-3, adduser, mount, sed, lsb-base [ok]

  [Standards compliance]

  $ lintian fuse3_3.10.3-2.dsc
  N: 2 hints overridden (2 errors)

  The two overridden errors are "source-is-missing" errors for
  Javascript files which are not used or installed by any binary
  package:

  source-is-missing doc/html/jquery.js line length is 32401 characters (>512)
  source-is-missing doc/html/menu.js line length is 695 characters (>512)

  The second source-is-missing error looks like a false positive to me
  (the JS is not minimized). Avoiding the override  on jquery would
  require a +dfsg repacked source, with the extra maintenance it
  requires. I agree with the overrides in this case.

  [Maintenance]
  =============

  The Foundations Team maintains fuse (v2) so far and we are looking to
  them if they plan to transition to and own v3 at some point.

  --

  [1] https://github.com/libfuse/libfuse
  [2] https://wiki.qemu.org/ChangeLog/6.0
  [3] https://metadata.ftp-master.debian.org/changelogs//main/q/qemu/qemu_6.0+dfsg-1~exp0_changelog
  [4] https://salsa.debian.org/qemu-team/qemu/-/commit/9fdcf4181e1c8120e6b7c9059209656469bf499b
  [5] https://en.wikipedia.org/wiki/Linus%27s_law
  [6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984


  ----

  From some later work on the Dependencies, here a list of related
  bugs/issues that need to be resolved to make this happen:

  From:
  https://lists.ubuntu.com/archives/ubuntu-devel/2021-July/041530.html

  - https://bugs.launchpad.net/ubuntu/+source/fuse3/+bug/1934510
  - https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1935659
  - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1935665
  - https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1935666
  - https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1935667
  - https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal/+bug/1935668
  - https://github.com/libfuse/libfuse/blob/master/ChangeLog.rst#libfuse-300-2016-12-08
  - https://github.com/ceph/ceph/commit/cb0a600acfca76c5b4653e4c6f34c1712a2da9de
  - https://gitlab.gnome.org/GNOME/gvfs/-/commit/7a0a06186b6fef07b8fce2360c04fd075fc84ed1
  - https://github.com/OpenMandrivaAssociation/grub2/blob/master/grub-2.02-fuse3.patch

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fuse3/+bug/1934510/+subscriptions

More information about the foundations-bugs mailing list