Public bug reported: MIR for xdelta3
This is a request to include the xdelta3 package in Ubuntu main. See below for point-for-point discussion of the items listed at: https://wiki.ubuntu.com/UbuntuMainInclusionRequirements [Availability] Ubuntu Zesty contains xdelta 3.0.11-dfsg-1 in universe. [Rationale] xdelta3 is required for the 'download delta' feature in snapd. This allows users to save a considerable amount of bandwidth when downloading updates for installed snap packages. The code has all landed in snapd behind a feature flag, but cannot be turned on by default until xdelta3 is in main, so snapd can depend on xdelta3. [Security] There was one CVE files against xdelta3 that I could find: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9765 The xdelta3 package installs a single binary (/usr/bin/xdelta3) which is not suid or sgid. [Quality assurance] - The xdelta3 package requires no configuration after installation. - As far as I can tell, the package asks no debconf questions of any priority. - There are 90 open issues in the upstream bugtracker: https://github.com/jmacd/xdelta/issues - I've scanned the issue list, and while a few issues may impact Ubuntu users using xdelta3, none of them seem serious enough to warrant exclusion from main in my opinion (but what do I know - that's for someone else to determine). - The debian bug tracker contains security bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814067 However this is fixed in the upstream release that's in zesty, and I can see a distropatch in the version that's in Xenial (I'm assuming it's been fixed in yakkety as well). - The debian package is maintained by 'A Mennucc1', see: https://packages.qa.debian.org/x/xdelta3.html - The xdelta3 packages does not require any exotic hardware. - I'm honestly not sure if the upstream test suite is run during the package build. I see no explicit test runs in debian/rules, but there is a 'check' make target, so perhaps that's invoked by default? - The package contains a debain/watch file. [UI Standards] The xdelta3 package ships command line utilities, so I think it's except from the requirements of this section. [Dependencies] The two dependencies of xdelta3 (libc6 and liblzma5) are both already in main. [Standards Compliance] Since xdelta3 is already in debian, I can only assume that it conforms to the related standards. [Maintenance] I think xdelta3 is relatively stable software, and the debian maintenance seems adequate to me to minimise the amount of work we need to do to keep this package in main. [Background Information] The xdelta3 package description contains a basic useful description of the purpose of the package. The motivation behind this MIR is described in the 'rationale' section of this bug report. ** Affects: xdelta3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1647222 Title: [MIR] xdelta3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xdelta3/+bug/1647222/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
