[Bug 2004442] Re: [MIR] aom (dependency of libheif)
Lukas Märdian
2004442 at bugs.launchpad.net
Thu Apr 18 14:15:36 UTC 2024
** Changed in: aom (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to aom in Ubuntu.
https://bugs.launchpad.net/bugs/2004442
Title:
[MIR] aom (dependency of libheif)
Status in aom package in Ubuntu:
Fix Committed
Status in aom package in Debian:
Fix Released
Bug description:
[Availability]
- The package aom is already in Ubuntu universe.
- The package aom build for the architectures it is designed to work on.
- It currently builds and works for architetcures:
amd64 arm64 armhf i386 ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/aom/
[Rationale]
- The package aom is required in Ubuntu main for libheif
- The package aom will generally be useful for a large part of our user base
as it provides a state of art and royalty-free video codec [1].
- The package aom is a new runtime dependency of package libheif that
we will support
- It would be great and useful to community/processes to have the package
aom in Ubuntu main, but there is no definitive deadline.
[Security]
- aom had security issues in the past:
- https://ubuntu.com/security/CVE-2020-36135 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2020-36134 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2020-36133 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2020-36131 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2020-36130 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2020-36129 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2021-30475
https://security-tracker.debian.org/tracker/CVE-2021-30475 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2021-30474
https://security-tracker.debian.org/tracker/CVE-2021-30474 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2021-30473
https://security-tracker.debian.org/tracker/CVE-2021-30473 Fixed in 3.2.0-1
- https://ubuntu.com/security/CVE-2019-2126
3.5.0-1 contains mkparser.cc without vulnerability – changes from commit
https://github.com/webmproject/libvpx/commit/6a7c84a2449dcc70de2525df209afea908622399
are applied
There are no CVEs open against current (3.5.0-1) version of the package.
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides AV1 video codec which processes untrusted input
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has no bugs open
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/aom/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=aom
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because unit test suite
requires provisioned data that is downloaded at the build time
- The package runs an autopkgtest, and is currently passing on
amd64 arm64 armhf i386 ppc64el riscv64 s390x list of architectures,
link to test logs https://autopkgtest.ubuntu.com/packages/aom
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors:
- Please link to a recent build log of the package
https://launchpadlibrarian.net/632257390/buildlog_ubuntu-lunar-amd64.aom_3.5.0-1_BUILDING.txt.gz
- Please attach the full output you have got from
`lintian --pedantic` as an extra post to this bug.
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules
https://git.launchpad.net/ubuntu/+source/aom/tree/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because it does not
provide GUI
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- libyuv0: LP: #2004516
- libwebm: LP: #2004523
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations Team
- Team is already subscribed to the package
- The team Foundations Team is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team Foundations Team is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored code, refreshing that code is outlined
in corresponding readme files:
- fastfeat: /third_party/fastfeat/README.libaom
A part of the microlibrary for corner detection last updated 14 years ago.
- googletest: /third_party/googletest/README.libaom
This dependency is build time only. It can be replaced with a system one.
- libwebm: /third_party/libwebm/README.libaom
We can add a patch to use system libwebm.
- vector: /third_party/vector/README.libaom
This is a micro library providing a vector class.
- This package is not rust based
- The package successfully built during the most recent test rebuild
[Background information]
The Package description explains the package well
Upstream Name is Alliance for Open Media
Link to upstream project https://aomedia.googlesource.com/aom/
[1] https://en.wikipedia.org/wiki/AV1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aom/+bug/2004442/+subscriptions
More information about the foundations-bugs
mailing list