[Bug 2072621] Re: [MIR] rpds-py

Wed Oct 2 07:26:15 UTC 2024

Indeed let us re-check after the security ack.
Slyon is unavailable, as agreed in the MIR meeting I'll have a look at the open tasks:

# Notes
#0 - rpds-py will replace pyrsistent, which is going to be demoted from "main"

OK
the only thing in main holding it is python3-jsonschema which is hereby changed.
pyrsistent would go to auto-demotions then.

#1 - I'm requesting security review, due to parsing untrusted (user) source code
     in vendor/proc-macro2 and for tracking the vendored crates

OK
Was approved

Required TODOs:
#2 - The package should make use of "XS-Vendored-Sources-Rust", either via
     dh-cargo or manually, see:
     https://wiki.ubuntu.com/RustCodeInMain#Rust_vendored_sources_tracking
     => compare to "mdevctl" or "gnome-snapshot"

OK
Was done in 0.20.0-0ubuntu3

Recommended TODOs:
#3 - The package should get a team bug subscriber before being promoted

OK
Done in comment 10

#4 - Consider if dropping non-linux stuff from vendor/libc is feasible
(probably not..)

Not done, but was only optional

#5 - Diverging from Debian, using a -0ubuntuX version is not ideal, but there's
     not a lot we can do about it other than slowly tring to get the rust-*-dev
     packages into main, one by one.

For now diverging which is ok.

So other than the long term general sentiment of maybe being time to
revisit the rust rules (years have passed, could be better) this is
perfectly fine. => Approving, as it shows in mismatches state is Fix
committed.

** Changed in: rpds-py (Ubuntu)
       Status: New => Fix Committed

** Changed in: rpds-py (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rpds-py in Ubuntu.
https://bugs.launchpad.net/bugs/2072621

Title:
  [MIR] rpds-py

Status in rpds-py package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  The package rpds-py is already in Ubuntu universe.
  Link to package https://launchpad.net/ubuntu/+source/rpds-py

  [Rationale]
   This is a new dependency used by python-jsonschema, and python-jsonschema is already part of main ( https://launchpad.net/ubuntu/+source/python-jsonschema )

  [Security]
  - No CVEs/security issues in this software in the past.
    + https://ubuntu.com/security/cves?package=rpds-py
    + https://security-tracker.debian.org/tracker/source-package/rpds-py
  - No executables in /sbin and usr/bin.
  - Package does not install services, timers, or recurring jobs.
  - Package does not open privileged ports or expose any external endpoints.
  - Package does not contain extensions to security-sensitive software.
  - Package does not contain any cryptography functionality.

  [Quality assurance - function/usage]
  The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rpds-py/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rpds-py
    - https://github.com/crate-py/rpds/issues

  [Quality assurance - testing]
  - The package contains unit tests. It it confirmed to have run and pass the build tests and built successfully on amd64: https://launchpadlibrarian.net/738777197/buildlog_ubuntu-oracular-amd64.python-jsonschema-specifications_2023.12.1-1ubuntu1_BUILDING.txt.gz
  - The debian/control file specifies the package can build for all architectures.
  - The autopkgtest is disabled, because it doesn't define any - https://git.launchpad.net/ubuntu/+source/rpds-py/tree/debian/control?h=ubuntu/oracular-devel#n21

  [Quality assurance - packaging]
  - A debian/watch is not present.
  - debian/control defines a correct Maintainer field. The maintainer is set to "Debian Python Modules Team <python-modules-team at alioth-lists.debian.net>", because there is no Ubuntu delta applied.
  - This package does not yield massive lintian Warnings, Errors
  - Recent build log: https://launchpadlibrarian.net/738777197/buildlog_ubuntu-oracular-amd64.python-jsonschema-specifications_2023.12.1-1ubuntu1_BUILDING.txt.gz
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  -  The package does not prompt the user during installation.
  - Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/rpds-py/tree/debian/rules?h=ubuntu/oracular

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be Ubuntu OpenStack and I have their acknowledgement for that commitment
  - The future owning team is not yet subscribed, but will subscribe to the package before promotion
  - The team Ubuntu OpenStack is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM)
  - This package does not use vendored code
  - The package has been built within the last 3 months in PPA - https://launchpad.net/~freyes/+archive/ubuntu/lp2072621
  - Build link on launchpad: https://launchpad.net/ubuntu/+source/rpds-py/0.12.0-3build1

  [Background information]
  - rpds-py is a Python bindings to the Rust rpds crate for persistent data structures. This library is a new dependency of python-jsonschema.
  - Upstream Name is rdps-py
  - Link to upstream project https://github.com/crate-py/rpds

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rpds-py/+bug/2072621/+subscriptions