[Bug 1934510] [NEW] [MIR] fuse3 as a dependency of qemu 6.0 and GNOME apps

Launchpad Bug Tracker 1934510 at bugs.launchpad.net
Thu Jan 6 12:18:04 UTC 2022


You have been subscribed to a public bug by Christian Ehrhardt  (paelzer):

Please promote the following binary packages built from src:fuse3 to
main:

  - libfuse3-3
  - libfuse3-dev

[Availability]

The inclusion of fuse3 in Ubuntu is fairly recent, first being imported
in Focal as a sync from Debian, however its predecessor src:fuse from
the same upstream (libfuse [1]) has been packaged in Debian since 2002,
it's already in main and has been in Ubuntu forever.

The upstream project is "the reference implementation of the Linux FUSE
(Filesystem in Userspace) interface" [1] , and can be fully trusted to
keep maintaining the package in the foreseeable future.

fuse3 is currently a sync from Debian in Focal, Groovy, Hirsute and
Impish.

[Rationale]

QEMU 6.0 added support for FUSE block exports, which allow mounting the
guest view of any QEMU block device node as a host file. Debian enabled
this feature in src:qemu 1:6.0+dfsg-1~exp0 [3], currently in
experimental, by adding a new build-dep on libfuse3-dev [4]. We want to
bring this support to Ubuntu when merging qemu 6.0 from Debian, and
therefore we need to MIR bin:libfuse3-dev and its runtime counterpart
bin:libfuse3-3.

[Security]

The package is a library and won't add daemons, setuid binaries, or
anything requiring authentication. (This is contrast with the bin:fuse3
package which ships a setuid binary, but which is not part of this MIR.)

The upstream README.md at [1] has a "Security implications" section
which only deals with fuse3, no warning is raised regarding the library.

Given the popularity of the project we can assume that Linus' law
applies [5].

[Quality assurance]

There are 0 open bugs in Ubuntu against src:fuse3.

In Debian there are a few bugs against bin:fuse3, including a Serious
(=> RC) bug, currently tagged "bullseye-ignore", but considered valid.
The bin:fuse3 package is not part of this MIR. (It is likely that we'll
want to also MIR bin:fuse3 at some point, and I considered doing so as
part of this MIR, but it is more sensible to wait for that RC bug to be
fixed before proceeding.)

There are no noteworthy Debian bugs against src:fuse3 or any bin:
package part of this MIR.

[Dependencies]

libfuse3-3: libc6 [ok]
libfuse3-dev: libfuse3-3, libselinux-dev [ok]
fuse3: libc6, libfuse3-3, adduser, mount, sed, lsb-base [ok]

[Standards compliance]

$ lintian fuse3_3.10.3-2.dsc
N: 2 hints overridden (2 errors)

The two overridden errors are "source-is-missing" errors for Javascript
files which are not used or installed by any binary package:

source-is-missing doc/html/jquery.js line length is 32401 characters (>512)
source-is-missing doc/html/menu.js line length is 695 characters (>512)

The second source-is-missing error looks like a false positive to me
(the JS is not minimized). Avoiding the override  on jquery would
require a +dfsg repacked source, with the extra maintenance it requires.
I agree with the overrides in this case.

[Maintenance]
=============

The Foundations Team maintains fuse (v2) so far and we are looking to
them if they plan to transition to and own v3 at some point.

--

[1] https://github.com/libfuse/libfuse
[2] https://wiki.qemu.org/ChangeLog/6.0
[3] https://metadata.ftp-master.debian.org/changelogs//main/q/qemu/qemu_6.0+dfsg-1~exp0_changelog
[4] https://salsa.debian.org/qemu-team/qemu/-/commit/9fdcf4181e1c8120e6b7c9059209656469bf499b
[5] https://en.wikipedia.org/wiki/Linus%27s_law
[6] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918984


----

>From some later work on the Dependencies, here a list of related
bugs/issues that need to be resolved to make this happen:

From:
https://lists.ubuntu.com/archives/ubuntu-devel/2021-July/041530.html

- https://bugs.launchpad.net/ubuntu/+source/fuse3/+bug/1934510
- https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1935659
- https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1935665
- https://bugs.launchpad.net/ubuntu/+source/s390-tools/+bug/1935666
- https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1935667
- https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal/+bug/1935668
- https://github.com/libfuse/libfuse/blob/master/ChangeLog.rst#libfuse-300-2016-12-08
- https://github.com/ceph/ceph/commit/cb0a600acfca76c5b4653e4c6f34c1712a2da9de
- https://gitlab.gnome.org/GNOME/gvfs/-/commit/7a0a06186b6fef07b8fce2360c04fd075fc84ed1
- https://github.com/OpenMandrivaAssociation/grub2/blob/master/grub-2.02-fuse3.patch

** Affects: fuse3 (Ubuntu)
     Importance: Undecided
         Status: Fix Released


** Tags: fr-1486
-- 
[MIR] fuse3 as a dependency of qemu 6.0 and GNOME apps
https://bugs.launchpad.net/bugs/1934510
You received this bug notification because you are a member of Ubuntu Package Archive Administrators, which is subscribed to the bug report.



More information about the ubuntu-archive mailing list