Public bug reported: [Availability] The package libva is already in Ubuntu universe. The package libva build for the architectures it is designed to work on. It currently builds and works for all Ubuntu architectures Link to package https://launchpad.net/ubuntu/+source/libva
[Rationale] - The package libva is required in Ubuntu main for gnome-remote-desktop - The package libva will generally be useful for a large part of our user base - The package libva is a new runtime dependency of package gnome-remote-desktop that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - The binary package TBD needs to be in main to achieve keeping gnome-remote-desktop up-to-date and supported. - The package libva is required in Ubuntu main no later than February 20 due to Ubuntu 25.04 Feature Freeze. Practically, we will likely need a Feature Freeze Exception for this. [Security] - Had 1 security issue in the past https://ubuntu.com/security/CVE-2023-39929 https://security-tracker.debian.org/tracker/CVE-2023-39929 The CVE is unclear; it might not have affected Ubuntu. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: + apparmor profile copied from evince - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs + Ubuntu https://bugs.launchpad.net/ubuntu/+source/libva + Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libva + Upstream https://github.com/intel/libva/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time because none is provided upstream because it is difficult to test hardware accelerated video processing with build tests. - The package does not run an autopkgtest because it is difficult to test hardware accelerated video processing with autopkgtests. RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial). RULE: If possible such things should stay in universe. Sometimes that is RULE: impossible due to the way how features/plugins/dependencies work RULE: but if you are going to ask for promotion of something untestable RULE: please outline why it couldn't provide its value (e.g. by splitting RULE: binaries) to users from universe. RULE: This is a balance that is hard to strike well, the request is that all RULE: options have been exploited before giving up. Look for more details RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30 RULE: Just like in the SRU process it is worth to understand what the RULE: consequences a regression (due to a test miss) would be. Therefore RULE: if being untestable we ask to outline what consequences this would RULE: have for the given package. And let us be honest, even if you can RULE: test you are never sure you will be able to catch all potential RULE: regressions. So this is mostly to force self-awareness of the owning RULE: team than to make a decision on. TODO: - The package can not be well tested at build or autopkgtest time TODO: because TBD. To make up for that: TODO-A: - We have access to such hardware in the team TODO-B: - We have allocated budget to get this hardware, but it is not here TODO-B: yet TODO-C: - We have checked with solutions-qa and will use their hardware TODO-C: through testflinger TODO-D: - We have checked with other team TBD and will use their hardware TODO-D: through TBD (eg. MAAS) TODO-E: - We have checked and found a simulator which covers this case TODO-E: sufficiently for testing, our plan to use it is TBD TODO-F: - We have engaged with the upstream community and due to that TODO-F: can tests new package builds via TBD TODO-G: - We have engaged with our user community and due to that TODO-G: can tests new package builds via TBD TODO-H: - We have engaged with the hardware manufacturer and made an TODO-H: agreement to test new builds via TBD TODO-A-H: - Based on that access outlined above, here are the details of the TODO-A-H: test plan/automation TBD (e.g. script or repo) and (if already TODO-A-H: possible) example output of a test run: TBD (logs). TODO-A-H: We will execute that test plan TODO-A-H1: on-uploads TODO-A-H2: regularly (TBD details like frequency: monthly, infra: jira-url) TODO-X: - We have exhausted all options, there really is no feasible way TODO-X: to test or recreate this. We are aware of the extra implications TODO-X: and duties this has for our team (= help SEG and security on TODO-X: servicing this package, but also more effort on any of your own TODO-X: bug triage and fixes). TODO-X: Due to TBD there also is no way to provide this to users from TODO-X: universe. TODO-X: Due to the nature, integration and use cases of the package the TODO-X: consequences of a regression that might slip through most likely TODO-X: would include TODO-X: - TBD TODO-X: - TBD TODO-X: - TBD RULE: - In some cases a solution that is about to be promoted consists of RULE: several very small libraries and one actual application uniting them RULE: to achieve something useful. This is rather common in the go/rust space. RULE: In that case often these micro-libs on their own can and should only RULE: provide low level unit-tests. But more complex autopkgtests make no RULE: sense on that level. Therefore in those cases one might want to test on RULE: the solution level. RULE: - Process wise MIR-requesting teams can ask (on the bug) for this RULE: special case to apply for a given case, which reduces the test RULE: constraints on the micro libraries but in return increases the RULE: requirements for the test of the actual app/solution. RULE: - Since this might promote micro-lib packages to main with less than RULE: the common level of QA any further MIRed program using them will have RULE: to provide the same amount of increased testing. TODO: - This package is minimal and will be tested in a more wide reaching TODO: solution context TBD, details about this testing are here TBD [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/multimedia-team/libva/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation or .desktop file) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be Desktop Packages and I have their acknowledgement for that commitment - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/libva/2.22.0-1 [Background information] The Package description explains the package well Upstream Name is libva Link to upstream project https://github.com/intel/libva libva was previously in main but was demoted once it was no longer required for build dependencies to be in main previous MIR: LP: #597354 ** Affects: libva (Ubuntu) Importance: Undecided Status: Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libva in Ubuntu. https://bugs.launchpad.net/bugs/2097800 Title: [MIR] libva Status in libva package in Ubuntu: Incomplete Bug description: [Availability] The package libva is already in Ubuntu universe. The package libva build for the architectures it is designed to work on. It currently builds and works for all Ubuntu architectures Link to package https://launchpad.net/ubuntu/+source/libva [Rationale] - The package libva is required in Ubuntu main for gnome-remote-desktop - The package libva will generally be useful for a large part of our user base - The package libva is a new runtime dependency of package gnome-remote-desktop that we already support - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - The binary package TBD needs to be in main to achieve keeping gnome-remote-desktop up-to-date and supported. - The package libva is required in Ubuntu main no later than February 20 due to Ubuntu 25.04 Feature Freeze. Practically, we will likely need a Feature Freeze Exception for this. [Security] - Had 1 security issue in the past https://ubuntu.com/security/CVE-2023-39929 https://security-tracker.debian.org/tracker/CVE-2023-39929 The CVE is unclear; it might not have affected Ubuntu. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: + apparmor profile copied from evince - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs + Ubuntu https://bugs.launchpad.net/ubuntu/+source/libva + Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=libva + Upstream https://github.com/intel/libva/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time because none is provided upstream because it is difficult to test hardware accelerated video processing with build tests. - The package does not run an autopkgtest because it is difficult to test hardware accelerated video processing with autopkgtests. RULE: - If no build tests nor autopkgtests are included, and/or if the package RULE: requires specific hardware to perform testing, the subscribed team RULE: must provide a written test plan in a comment to the MIR bug, and RULE: commit to running that test either at each upload of the package or RULE: at least once each release cycle. In the comment to the MIR bug, RULE: please link to the codebase of these tests (scripts or doc of manual RULE: steps) and attach a full log of these test runs. This is meant to RULE: assess their validity (e.g. not just superficial). RULE: If possible such things should stay in universe. Sometimes that is RULE: impossible due to the way how features/plugins/dependencies work RULE: but if you are going to ask for promotion of something untestable RULE: please outline why it couldn't provide its value (e.g. by splitting RULE: binaries) to users from universe. RULE: This is a balance that is hard to strike well, the request is that all RULE: options have been exploited before giving up. Look for more details RULE: and backgrounds https://github.com/canonical/ubuntu-mir/issues/30 RULE: Just like in the SRU process it is worth to understand what the RULE: consequences a regression (due to a test miss) would be. Therefore RULE: if being untestable we ask to outline what consequences this would RULE: have for the given package. And let us be honest, even if you can RULE: test you are never sure you will be able to catch all potential RULE: regressions. So this is mostly to force self-awareness of the owning RULE: team than to make a decision on. TODO: - The package can not be well tested at build or autopkgtest time TODO: because TBD. To make up for that: TODO-A: - We have access to such hardware in the team TODO-B: - We have allocated budget to get this hardware, but it is not here TODO-B: yet TODO-C: - We have checked with solutions-qa and will use their hardware TODO-C: through testflinger TODO-D: - We have checked with other team TBD and will use their hardware TODO-D: through TBD (eg. MAAS) TODO-E: - We have checked and found a simulator which covers this case TODO-E: sufficiently for testing, our plan to use it is TBD TODO-F: - We have engaged with the upstream community and due to that TODO-F: can tests new package builds via TBD TODO-G: - We have engaged with our user community and due to that TODO-G: can tests new package builds via TBD TODO-H: - We have engaged with the hardware manufacturer and made an TODO-H: agreement to test new builds via TBD TODO-A-H: - Based on that access outlined above, here are the details of the TODO-A-H: test plan/automation TBD (e.g. script or repo) and (if already TODO-A-H: possible) example output of a test run: TBD (logs). TODO-A-H: We will execute that test plan TODO-A-H1: on-uploads TODO-A-H2: regularly (TBD details like frequency: monthly, infra: jira-url) TODO-X: - We have exhausted all options, there really is no feasible way TODO-X: to test or recreate this. We are aware of the extra implications TODO-X: and duties this has for our team (= help SEG and security on TODO-X: servicing this package, but also more effort on any of your own TODO-X: bug triage and fixes). TODO-X: Due to TBD there also is no way to provide this to users from TODO-X: universe. TODO-X: Due to the nature, integration and use cases of the package the TODO-X: consequences of a regression that might slip through most likely TODO-X: would include TODO-X: - TBD TODO-X: - TBD TODO-X: - TBD RULE: - In some cases a solution that is about to be promoted consists of RULE: several very small libraries and one actual application uniting them RULE: to achieve something useful. This is rather common in the go/rust space. RULE: In that case often these micro-libs on their own can and should only RULE: provide low level unit-tests. But more complex autopkgtests make no RULE: sense on that level. Therefore in those cases one might want to test on RULE: the solution level. RULE: - Process wise MIR-requesting teams can ask (on the bug) for this RULE: special case to apply for a given case, which reduces the test RULE: constraints on the micro libraries but in return increases the RULE: requirements for the test of the actual app/solution. RULE: - Since this might promote micro-lib packages to main with less than RULE: the common level of QA any further MIRed program using them will have RULE: to provide the same amount of increased testing. TODO: - This package is minimal and will be tested in a more wide reaching TODO: solution context TBD, details about this testing are here TBD [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/multimedia-team/libva/-/blob/master/debian/rules [UI standards] - Application is not end-user facing (does not need translation or .desktop file) [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be Desktop Packages and I have their acknowledgement for that commitment - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in the archive - Build link on launchpad: https://launchpad.net/ubuntu/+source/libva/2.22.0-1 [Background information] The Package description explains the package well Upstream Name is libva Link to upstream project https://github.com/intel/libva libva was previously in main but was demoted once it was no longer required for build dependencies to be in main previous MIR: LP: #597354 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libva/+bug/2097800/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
