[Bug 2003570] Re: [MIR] rich

Lukas Märdian 2003570 at bugs.launchpad.net
Tue Feb 21 10:55:33 UTC 2023 

Thanks a lot for the security review!

Not sure if we need/want an explicit dh-python build-dependency... The
package build-depends on pybuild-plugin-pyproject already, which is a
binary from the src:dh-python source and build depends on dh-python
itself.

I think we should rather try to avoid introducing delta against Debian,
which does not want to add an explicit dh-python B-D:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031703

Wrt removal of ./tools/ (and ./benchmarks/results/): I think we
shouldn't diverge from Debian's orig tarball here, without consensus, as
that would introduce a significant delta in Ubuntu which is kind of hard
to maintain. As ./tools/README.md states those files are only used for
development and are not part of any of the built binary packages. So is
the runtime dependency of "black" (not part of the packaging, not a .deb
dependency). Those directories only affect the orig tarball and source
package size, as such we should not touch those IMO.

** Bug watch added: Debian Bug tracker #1031703
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031703

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rich in Ubuntu.
https://bugs.launchpad.net/bugs/2003570

Title:
  [MIR] rich

Status in netplan.io package in Ubuntu:
  New
Status in rich package in Ubuntu:
  In Progress

Bug description:
  [Availability]
  The package rich is already in Ubuntu universe.
  The package rich build for the architectures it is designed to work on.
  It currently builds and works for architetcures: all
  Link to package https://launchpad.net/ubuntu/+source/rich

  [Rationale]
  - The package rich is required in Ubuntu main due to a new feature in netplan.io
  intended to collect the current system network state and present to the user. A new command
  (netplan status) was recently merged (https://github.com/canonical/netplan/pull/290) to netplan
  and makes use of python3-rich to present the information.

  - The package rich will generally be useful for a large part of
  our user base as it will be used by Netplan, which is an important component
  of Ubuntu.

  - The package rich is a new runtime dependency of package netplan.io that
  we already support

  - The package rich is required in Ubuntu main no later than Feb 23
  due to feature freeze and our plans to release a new version of netplan
  with the new feature.

  [Security]
  - No CVEs/security issues in this software in the past
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024)
  - Packages does not contain extensions to security-sensitive software

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu and has not too many
  and long term critical bugs open
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rich/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rich
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log https://launchpad.net/ubuntu/+source/rich/13.0.0-1/+build/25446927

  - The package does not run an autopkgtest because it doesn't contain
  any

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package https://launchpadlibrarian.net/644126595/buildlog_ubuntu-lunar-amd64.rich_13.0.0-1_BUILDING.txt.gz
  - Lintian overrides are not present

  TODO: - This package does not rely on obsolete or about to be demoted
  packages.

  - This package has no python2 or GTK2 dependencies
  - The package will be installed by default, but does not ask debconf
  questions higher than medium
  - Packaging and build is easy, link to d/rules https://git.launchpad.net/ubuntu/+source/rich/tree/debian/rules

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  There are further dependencies that are not yet in main, MIR for them is at:
  https://bugs.launchpad.net/ubuntu/+source/markdown-it-py/+bug/2003568
  https://bugs.launchpad.net/ubuntu/+source/mdurl/+bug/2002818
  https://bugs.launchpad.net/ubuntu/+source/python-typing-extensions/+bug/2002821

  Please note that rich not yet depends on markdown-it-py but upstream
  just migrated to it. A new version of src:rich will add it as a
  dependency and drop commonmark.

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - Owning Team will be Foundations
  - Team is not yet, but will subscribe to the package before promotion

  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based

  - The package has been built in the archive more recently than the last
  test rebuild

  [Background information]
  - The Package description explains the package well
  - Upstream Name is rich
  - Link to upstream project https://github.com/Textualize/rich

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2003570/+subscriptions

More information about the foundations-bugs mailing list