[Bug 2003570] Re: [MIR] rich

Tue Feb 14 11:40:47 UTC 2023

Status update:
1a: markdown-it-py is MIR ACK, pending security review
1b: mdurl is MIR ACK, pending security review
1c: python-typing-extensions is MIR ACK and ready to be promoted

2: bug #2003981 got resolved on Ubuntu' autopkgtest infrastructure and
pytests are now running properly (but the queues are very full and it
takes a while for all those tests to be re-executed). It already passed
on amd64: https://autopkgtest.ubuntu.com/packages/rich/lunar/amd64
(without changes to the packaging)

3: v3.3.1 got uploaded into Debian unstable and should be auto-synced
into Ubuntu soon: https://tracker.debian.org/pkg/rich

So I feel like the required TODOs are resolved and this is ready for
security review. Assigning ~ubuntu-security.

** Changed in: rich (Ubuntu)
       Status: Incomplete => New

** Changed in: rich (Ubuntu)
     Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rich in Ubuntu.
https://bugs.launchpad.net/bugs/2003570

Title:
  [MIR] rich

Status in netplan.io package in Ubuntu:
  New
Status in rich package in Ubuntu:
  New

Bug description:
  [Availability]
  The package rich is already in Ubuntu universe.
  The package rich build for the architectures it is designed to work on.
  It currently builds and works for architetcures: all
  Link to package https://launchpad.net/ubuntu/+source/rich

  [Rationale]
  - The package rich is required in Ubuntu main due to a new feature in netplan.io
  intended to collect the current system network state and present to the user. A new command
  (netplan status) was recently merged (https://github.com/canonical/netplan/pull/290) to netplan
  and makes use of python3-rich to present the information.

  - The package rich will generally be useful for a large part of
  our user base as it will be used by Netplan, which is an important component
  of Ubuntu.

  - The package rich is a new runtime dependency of package netplan.io that
  we already support

  - The package rich is required in Ubuntu main no later than Feb 23
  due to feature freeze and our plans to release a new version of netplan
  with the new feature.

  [Security]
  - No CVEs/security issues in this software in the past
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rich/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rich
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/rich/13.0.0-1/+build/25446927

  - The package does not run an autopkgtest because it doesn't contain
  any

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package https://launchpadlibrarian.net/644126595/buildlog_ubuntu-lunar-amd64.rich_13.0.0-1_BUILDING.txt.gz
  - Lintian overrides are not present

  TODO: - This package does not rely on obsolete or about to be demoted
  packages.

  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
  questions higher than medium
  - Packaging and build is easy, link to d/rules https://git.launchpad.net/ubuntu/+source/rich/tree/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  There are further dependencies that are not yet in main, MIR for them is at:
  https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug/2003568
  https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818
  https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821

  Please note that rich not yet depends on markdown-it-py but upstream
  just migrated to it. A new version of src:rich will add it as a
  dependency and drop commonmark.

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - Owning Team will be Foundations
  - Team is not yet, but will subscribe to the package before promotion

  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based

  - The package has been built in the archive more recently than the last
  test rebuild

  [Background information]
  - The Package description explains the package well
  - Upstream Name is rich
  - Link to upstream project https://github.com/Textualize/rich

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2003570/+subscriptions