[Bug 2023531] Re: [MIR] dotnet6
Dominik Viererbe
2023531 at bugs.launchpad.net
Tue Nov 21 14:14:44 UTC 2023
Hi, since the last time we had multiple discussions with Microsoft, the
SRU Team, the Security Team, Oliver Smith and Lech Sandecki.
We will backport security patches after the upstream support ends as
part of the Ubuntu LTS and Ubuntu Pro story, but we still recommend
users to switch versions after the upstream support ends. Therefore we
no longer need an exception.
Additionally our support/distribution strategy has changed (see #3 [1] for details about the old strategy):
- We will ship the latest .NET LTS (e.g. .NET 6, 8, 10) to the latest Ubuntu LTS and backport to the -1 Ubuntu LTS and Interim releases.
- We will ship .NET STS releases (.NET 7, 9, 11) only to Ubuntu Interim releases.
e.g.
- .NET 8 LTS will be on 22.04 LTS, 23.10 and 24.04 LTS
- .NET 9 STS will be on 24.10, 25.04, 25.10
- .NET 10 LTS will be on 24.04 LTS, 25.04, 25.10 and 26.04 LTS
With this change we would like to have all .NET packages in main. The
only exception is .NET 7 in jammy that we want to keep in universe.
I will open seperate MIR requests for the dotnet7 and dotnet8 package.
FYI:
- I am currently backporting .NET 8 to jammy
- We will not backport .NET 8 to lunar, because of the limited lifespan left.
- .NET 6 and 7 is currently in noble, but we will remove it over the next weeks.
[1]
https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug/2023531/comments/3
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dotnet6 in Ubuntu.
https://bugs.launchpad.net/bugs/2023531
Title:
[MIR] dotnet6
Status in dotnet6 package in Ubuntu:
Incomplete
Bug description:
[Availability]
The package dotnet6 is already in Ubuntu universe.
The package dotnet6 build for the architectures it is designed to work on.
- See: https://github.com/dotnet/core/blob/main/release-notes/6.0/supported-os.md
It currently builds and works for architetcures: amd64, arm64
Link to package https://launchpad.net/ubuntu/+source/dotnet6
[Rationale]
- The package dotnet6 is required in Ubuntu main as part of
Canonicals partnership with Microsoft to shorten the supply
chain between Canonical and Microsoft and improve the .NET
developer experience on Ubuntu. Read more here:
- https://canonical.com/blog/install-dotnet-on-ubuntu
- https://devblogs.microsoft.com/dotnet/dotnet-6-is-now-in-ubuntu-2204/
- The package dotnet6 will generally be useful for a large part of
our user base
- It would be great and useful to community/processes to have the
package dotnet6 in Ubuntu main, but there is no definitive deadline.
[Security]
- dotnet6 had security issues in the past that have been
fixed, see trackers:
- https://ubuntu.com/security/cves?package=dotnet6
- https://github.com/dotnet/core/blob/main/release-notes/6.0/cve.md
- NOTE: When searching for .NET CVEs in other trackers,
keep in mind that .NET Framework and .NET (Core) is not
the same and that many CVEs do not affect Linux distributions.
- The Security Team and Foundations Toolchain Squad already
work together with Microsoft to release security updates
to Ubuntu.
- Microsoft has weekly meetings with .NET Security Partners
(including Canonical) where they get and keep informed
about Security Issues.
- .NET Security Partners (including Canonical) have early
access to .NET releases containing CVE patches.
- Microsoft and .NET Security Partners (including Canonical)
coordinate releases to disclose and provide patches for
security issues on all plattforms at the same time.
- Microsoft informs Users about (security) issues in the
monthly release notes where they aslo recommend actions
to mitigate these issues.
See example Release Note containing CVE warning:
https://devblogs.microsoft.com/dotnet/february-2023-updates/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug
- There are multiple bug trackers upstream for the individual
components of the package https://github.com/dotnet
- The package has no important open bugs
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build logs:
- mantic amd64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165948
- mantic arm64: https://launchpad.net/ubuntu/+source/dotnet6/6.0.116-0ubuntu3/+build/26165949
- lunar amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976292
- lunar arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25976293
- kinetic amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964381
- kinetic arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ppa/+build/25964382
- jammy amd64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974197
- jammy arm64: https://launchpad.net/~ubuntu-security/+archive/ubuntu/ubuntu-security-staging-private/+build/25974198
- The package runs an autopkgtest, and is currently passing
on mantic/lunar/kinetic/jammy amd64/arm64 https://autopkgtest.ubuntu.com/packages/dotnet6
- The package does NOT have failing autopkgtests tests right now.
[Quality assurance - packaging]
- debian/watch is present and works*
(*Canonical has to work around the debian/watch file to
consume embargoed releases before the official release)
- debian/control defines a correct Maintainer field
- This package does yield massive lintian Warnings/Errors,
but they are either false-postives or acceptable.
- Lintian overrides are present, but ok because of false-positive
lintian warnings. The concrete reasons are explained as a
comment in the overwrite files.
- The package will not be installed by default
- Packaging is complex, but that is ok because the software
we are packaging is complex and we are working with
Microsoft to reduce the complexity.
[UI standards]
- Application is end-user facing, Translation is NOT present,
this is ok, as the application just provides a Command Line
Interface for developers. The CLI output should not be
translated to maintain online searchable error messages.
- The exception messages of the .NET Runtime are localized.
- End-user applications without desktop file, not needed,
because it just provides libraries and command line tools
[Dependencies]
- There are further dependencies that are not yet in main, the MIR
process for them is handled as part of this bug here.
- lld binary and source package is in universe
- llvm binary and source package is in universe
- locales-all is in universe, but its source glibc is already in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy (AFAICT: this package is huge and I have only limited experience)
[Maintenance/Owner]
- Team is already subscribed to the package
- This package has embedded/vendorized dependencies.
We are aware of this problem and working on getting rid of them.
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is ".NET 6"
- Upstream project: https://github.com/dotnet/source-build
- This MIR exists in parralel to the MIR for dotnet7
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug/2023531/+subscriptions
More information about the foundations-bugs
mailing list