** Description changed: It's the third time that counts [Availability] The package ruby-json is already in Ubuntu universe. The package ruby-json build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/ruby-json [Rationale] The situation for ruby-json is the same as the ones in https://bugs.launchpad.net/ubuntu/+source/ruby3.3/+bug/1556608 - in fact, it's just another instance of the same case. It was provided by libruby, but it's not anymore from version 3.3.5-1. This was not listed in the referenced bug because it's not something ruby3.3 depends on, but other packages depend on it. My example here is pcs: the dependency on ruby-json there was dropped because the interpreter would provide it, but now it'll be re-inserted in the next merge, which will cause a component mismatch in -proposed. As this was part of libruby, we can consider it "was already on main" at some point in time, and then separated for better maintenance and explicit dependency. A MIR for ruby-json was approved a few years ago, when libruby still provided the gem: https://bugs.launchpad.net/ubuntu/+source/ruby- json/+bug/1990572 This needs to be promoted to main as soon as possible, to unblock the pcs migration, which in turn will help in the ruby-rack stack migration. There is no other/better way to solve this that is already in main. - The source builds a single homonymous binary, ruby-json, and it's debug + The source builds a single homonymous binary, ruby-json, and its debug symbols. [Security] The security review performed in https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug/1990572 was used as a base. The following CVEs were reported with ruby-json involved. - CVE-2013-0269 - CVE-2020-10663 Both of them are listed in the Debian tracker. https://security-tracker.debian.org/tracker/source-package/ruby-json also shows - CVE-2025-27788 Which affects 2.10.0 and was ficed in 2.10.2. However, the version packaged in debian unstable/ubuntu devel is 2.9.1, which is lower than the one affected. In a future merge, the version will already contain the fix. This is a ruby library with no executables. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - does not install services, timers or recurring jobs - does not open privileged ports (ports < 1024). - does not expose any external endpoints - does not contain extensions to security-sensitive software [Quality assurance - function/usage] The package works well right after install [Quality assurance - maintenance] The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs: - Ubuntu https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=ruby-json - Upstream: https://github.com/ruby/json/issues The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a test suite on build time, if it fails, and it makes the build fail. Link to recent build log: https://launchpadlibrarian.net/803877316/buildlog_ubuntu-questing-amd64.ruby-json_2.9.1+dfsg-1_BUILDING.txt.gz The package runs autopkgtests, and is currently passing on all architectures, as seen in https://autopkgtest.ubuntu.com/packages/ruby- json [Quality assurance - packaging] debian/watch is present and works debian/control defines a correct Maintainer field This package does not yield massive lintian Warnings, Errors Recent build log of the package: https://launchpadlibrarian.net/803877316/buildlog_ubuntu-questing-amd64.ruby-json_2.9.1+dfsg-1_BUILDING.txt.gz This is the full output I have got from `lintian --pedantic`: W: ruby-json: old-fsf-address-in-copyright-file P: ruby-json: repeated-path-segment 3.3.0 [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/extensions/x86_64-linux-gnu/3.3.0/] P: ruby-json: repeated-path-segment ext [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/gems/json-2.9.1/ext/json/ext/] P: ruby-json: repeated-path-segment lib [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/gems/json-2.9.1/lib/] P: ruby-json: repeated-path-segment x86_64-linux-gnu [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/extensions/x86_64-linux-gnu/] Lintian overrides are not present This package does not rely on obsolete or about to be demoted packages. This package has no python2 or GTK2 dependencies The package will not be installed by default Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/ruby-json/tree/debian/rules [UI standards] Application is not end-user facing (does not need translation) [Dependencies] Used check-mir from ubuntu-dev-tools to validate, and all dependencies or recommends are in main. [Standards compliance] This package correctly follows FHS and Debian Policy [Maintenance/Owner] The owning team will be ubuntu-server, and I have their acknowledgment for that commitment This does not use static builds This does not use vendored code This package is not rust based The package has been built within the last 3 months in a PPA: https://launchpad.net/~rr/+archive/ubuntu/mir-ruby-json [Background information] The Package description explains the package well Upstream Name is json Link to upstream project: https://github.com/ruby/json
** Description changed: It's the third time that counts [Availability] The package ruby-json is already in Ubuntu universe. The package ruby-json build for the architectures it is designed to work on. It currently builds and works for architectures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/ruby-json [Rationale] The situation for ruby-json is the same as the ones in https://bugs.launchpad.net/ubuntu/+source/ruby3.3/+bug/1556608 - in fact, it's just another instance of the same case. It was provided by libruby, but it's not anymore from version 3.3.5-1. This was not listed in the referenced bug because it's not something ruby3.3 depends on, but other packages depend on it. My example here is pcs: the dependency on ruby-json there was dropped because the interpreter would provide it, but now it'll be re-inserted in the next merge, which will cause a component mismatch in -proposed. As this was part of libruby, we can consider it "was already on main" at some point in time, and then separated for better maintenance and explicit dependency. A MIR for ruby-json was approved a few years ago, when libruby still provided the gem: https://bugs.launchpad.net/ubuntu/+source/ruby- json/+bug/1990572 This needs to be promoted to main as soon as possible, to unblock the pcs migration, which in turn will help in the ruby-rack stack migration. There is no other/better way to solve this that is already in main. The source builds a single homonymous binary, ruby-json, and its debug symbols. [Security] The security review performed in https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug/1990572 was used as a base. The following CVEs were reported with ruby-json involved. - CVE-2013-0269 - CVE-2020-10663 Both of them are listed in the Debian tracker. https://security-tracker.debian.org/tracker/source-package/ruby-json also shows - CVE-2025-27788 - Which affects 2.10.0 and was ficed in 2.10.2. However, the version packaged in debian unstable/ubuntu devel is 2.9.1, which is lower than the one affected. In a future merge, the version will already contain the fix. + Which affects 2.10.0 and was fixed in 2.10.2. However, the version packaged in debian unstable/ubuntu devel is 2.9.1, which is lower than the one affected. In a future merge, the version will already contain the fix. This is a ruby library with no executables. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - does not install services, timers or recurring jobs - does not open privileged ports (ports < 1024). - does not expose any external endpoints - does not contain extensions to security-sensitive software [Quality assurance - function/usage] The package works well right after install [Quality assurance - maintenance] The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs: - Ubuntu https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=ruby-json - Upstream: https://github.com/ruby/json/issues The package does not deal with exotic hardware we cannot support [Quality assurance - testing] The package runs a test suite on build time, if it fails, and it makes the build fail. Link to recent build log: https://launchpadlibrarian.net/803877316/buildlog_ubuntu-questing-amd64.ruby-json_2.9.1+dfsg-1_BUILDING.txt.gz The package runs autopkgtests, and is currently passing on all architectures, as seen in https://autopkgtest.ubuntu.com/packages/ruby- json [Quality assurance - packaging] debian/watch is present and works debian/control defines a correct Maintainer field This package does not yield massive lintian Warnings, Errors Recent build log of the package: https://launchpadlibrarian.net/803877316/buildlog_ubuntu-questing-amd64.ruby-json_2.9.1+dfsg-1_BUILDING.txt.gz This is the full output I have got from `lintian --pedantic`: W: ruby-json: old-fsf-address-in-copyright-file P: ruby-json: repeated-path-segment 3.3.0 [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/extensions/x86_64-linux-gnu/3.3.0/] P: ruby-json: repeated-path-segment ext [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/gems/json-2.9.1/ext/json/ext/] P: ruby-json: repeated-path-segment lib [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/gems/json-2.9.1/lib/] P: ruby-json: repeated-path-segment x86_64-linux-gnu [usr/lib/x86_64-linux-gnu/rubygems-integration/3.3.0/extensions/x86_64-linux-gnu/] Lintian overrides are not present This package does not rely on obsolete or about to be demoted packages. This package has no python2 or GTK2 dependencies The package will not be installed by default Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/ruby-json/tree/debian/rules [UI standards] Application is not end-user facing (does not need translation) [Dependencies] Used check-mir from ubuntu-dev-tools to validate, and all dependencies or recommends are in main. [Standards compliance] This package correctly follows FHS and Debian Policy [Maintenance/Owner] The owning team will be ubuntu-server, and I have their acknowledgment for that commitment This does not use static builds This does not use vendored code This package is not rust based The package has been built within the last 3 months in a PPA: https://launchpad.net/~rr/+archive/ubuntu/mir-ruby-json [Background information] The Package description explains the package well Upstream Name is json Link to upstream project: https://github.com/ruby/json -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115398 Title: [MIR] ruby-json To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby-json/+bug/2115398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
