Just for the sake of reference, here are the (binary) packages in the
proposed pocket currently blocked on this:
tracker-extract
nautilus
[tinysparql binaries]
I have added these as affected on the bug (along with the update-excuse
tag) so we can track the packages affected by this accordingly. MIR
team, please ignore these additions, they're just for proposed migration
triaging reference. Archive Admin processing the promotion (if
successful), please also mark those other packages as Fix Released once
you process this.
Warm regards, and thanks for filing this, Jeremy,
Simon
** Also affects: tracker-miners (Ubuntu)
Importance: Undecided
Status: New
** Also affects: nautilus (Ubuntu)
Importance: Undecided
Status: New
** Tags added: update-excuse
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to tracker-miners in Ubuntu.
https://bugs.launchpad.net/bugs/2099086
Title:
[MIR] tinysparql
Status in nautilus package in Ubuntu:
New
Status in tinysparql package in Ubuntu:
New
Status in tracker-miners package in Ubuntu:
New
Bug description:
The Tracker developers have renamed Tracker to TinySPARQL. We have
packaged the latest version with the source package tinysparql and
will remove the source package tracker after tinysparql migrates out
of plucky-proposed.
This MIR should be processed along with the localsearch MIR LP:
#2099160
[Availability]
The package tinysparql is already in Ubuntu universe.
The package tinysparql build for the architectures it is designed to work on.
It currently builds and works for all Ubuntu architectures except for i386
Link to package https://launchpad.net/ubuntu/+source/tinysparql
[Rationale]
- The package tinysparql is required in Ubuntu main because it is GNOME's
search indexer and is deeply integrated into nautilus.
- The package tinysparql will generally be useful for a large part of our
user base
- The package tinysparql will not generally be useful for a large part of
- The package tinysparql is a new runtime dependency of package nautilus that
we already support
- There is no other/better way to solve this that is already in main or
should go universe->main instead of this.
- The binary package tinysparql needs to be in main to achieve: the "tracker"
name doesn't exist after the 3.7 series for GNOME 46. We want to use the
supported "tinysparql" series instead.
- The package tinysparql is required in Ubuntu main for Ubuntu 25.04.
The package rename was uploaded to Ubuntu 25.04 before Feature Freeze.
[Security]
- No CVEs/security issues in this software in the past
tracker-miners had a CVE (see LP: #2099160)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install services, timers or recurring jobs
systemd user service tinysparql-xdg-portal-3.service
dbus service org.freedesktop.portal.Tracker.service
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features:
localsearch handles much of the indexing
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
TODO: - Packages does not contain extensions to security-sensitive software
TODO: (filters, scanners, plugins, UI skins, ...)
I'm not sure what those terms mean, but I consider this to be
security-sensitive software.
Out of an abundance of caution (and because it requires NPM stuff
which is complex to build), I have removed the tinysparql web-ide
feature from the Debian/Ubuntu packaging of tracker. This annoys
upstream who would prefer to have it easily available for install
https://gitlab.gnome.org/GNOME/tinysparql/-/issues/477
GNOME provides this page for reporting security vulnerabilities in core GNOME
components like tinysparql
https://security.gnome.org/
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream. However, there
are a lot of open Ubuntu bugs.
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/tracker
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=tracker
- Upstream https://gitlab.gnome.org/GNOME/tinysparql/-/issues
The Ubuntu Desktop team believes that tracker has significantly
improved in performance in recent years, but still might misbehave. On
the other hand, the localsearch sandbox has been so strict that it can
take time for the sandbox to be adjusted upstream to account for
changes in dependencies.
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build
fail, link to build log
https://launchpad.net/ubuntu/+source/tinysparql/3.8.2-3
TODO-A: - The package runs an autopkgtest, and is currently passing on
TODO-A: this TBD list of architectures, link to test logs TBD
https://autopkgtest.ubuntu.com/packages/tinysparql
RULE: - existing but failing tests that shall be handled as "ok to fail"
RULE: need to be explained along the test logs below
TODO-A: - The package does have not failing autopkgtests right now
TODO-B: - The package does have failing autopkgtests tests right now, but
since
TODO-B: they always failed they are handled as "ignored failure", this is
TODO-B: ok because TBD
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
https://launchpad.net/ubuntu/+source/tinysparql/3.8.2-3
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions
- Packaging and build is easy, link to debian/rules
https://salsa.debian.org/gnome-team/tinysparql/-/blob/debian/latest/debian/rules
[UI standards]
- Application is end-user facing, Translation is present, via standard
intltool/gettext or similar build and runtime internationalization system
- End-user applications without desktop file, not needed because it is
more of a service than an app. However, it can be configured with
gnome-control-center in the Search page.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
except for the localsearch MIR LP: #2099160
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be Desktop Packages and I have their acknowledgement
for that commitment
TODO-A: - The future owning team is already subscribed to the package
TODO-B: - The future owning team is not yet subscribed, but will subscribe to
the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad:
https://launchpad.net/ubuntu/+source/tinysparql/3.8.2-3
[Background information]
The Package description explains the package well
Upstream Name is tinysparql
https://gitlab.gnome.org/GNOME/tinysparql
Link to previous MIR LP: #1313996
Ubuntu 25.04 ships tinysparql 3.8 (GNOME 47) because localsearch 3.9 (GNOME
48) switched to ffmpeg/libav (which are in Ubuntu universe) and the Ubuntu
Desktop Team has not had time to evaluate the situation.
https://gitlab.gnome.org/GNOME/localsearch/-/merge_requests/579
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/2099086/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
