Public bug reported: [Availability] The package nlohmann-json3 is already in Ubuntu universe The package nlohmann-json3 build for the architectures it is designed to work on. It currently builds and works for architectures: all Link to package https://launchpad.net/ubuntu/+source/all
[Rationale] - The package nlohmann-json3 is required in Ubuntu main as it is a runtime dependency for libpisp, which is required in main as it is a new runtime dependency for libcamera (LP: #2093321) - The package nlohmann-json3 will generally be useful for a large part of our user base as it is a popular C++ JSON library - The package nlohmann-json3 is required in Ubuntu main no later than plucky release, as this is a runtime dependency of libpisp which is blocking migration for libcamera and camera support for the Raspberry Pi is a high priority on the plucky roadmap. [Security] - I found the following entries in the MITRE DB: - https://www.cve.org/CVERecord?id=CVE-2024-38525 - https://www.cve.org/CVERecord?id=CVE-2024-34363 - These are not CVEs within nlohmann-json, but in other products whose cause was a crash due to an uncaught exception in nlohmann-json3 - There is another entry in Snyk: https://security.snyk.io/vuln/SNYK-UNMANAGED-NLOHMANNJSON-6387367 But this is an older nlohmann-json, and not nlohmann-json3 - Unfortunately, here is a list of CVEs https://github.com/nlohmann/json/issues?q=is%3Aissue+CVE+updated%3A2024-07-15 which are present in v3.11.3 but resolved in their develop branch - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Package does expose an external endpoint (Port 8443), it is used to serve the json.hpp file over HTTPS, for services like online compilers and compiler explorer [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained in GitHub - https://github.com/nlohmann/json/issues - Any bugs reported after the last release (Nov 2023) have not been resolved in v3.11.3 (whether they show up as open or closed on GitHub). This includes some CVEs mentioned above. - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time - The package runs an autopkgtest: https://autopkgtest.ubuntu.com/packages/nlohmann-json3 - The package does have not failing autopkgtests right now [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - Recent buildlog: https://launchpadlibrarian.net/703347075/buildlog_ubuntu-noble-amd64.nlohmann-json3_3.11.3-1_BUILDING.txt.gz - $ lintian --pedantic E: nlohmann-json3 changes: bad-distribution-in-changes-file unstable W: nlohmann-json3-dev: debian-changelog-line-too-long [usr/share/doc/nlohmann-json3-dev/changelog.Debian.gz:4] W: nlohmann-json3 source: superfluous-file-pattern tools/cpplint/* [debian/copyright:31] W: nlohmann-json3 source: upstream-metadata-field-unknown Homepage [debian/upstream/metadata] Need to assign the distribution (and then subsequently change the maintainer) and some janitorial cleanup - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions higher than medium - Packaging and build is easy, link to debian/rules TBD [UI standards] - Application is not end-user facing (does not need translation) [Dependencies] - No further runtime dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The future owning team is not yet subscribed, but will subscribe to the package before promotion - This does not use static builds - This does not use vendored code - This package is not rust based - The package has been built within the last 3 months in PPA - Build link on launchpad: https://launchpadlibrarian.net/770251630/buildlog_ubuntu-plucky-amd64.nlohmann-json3_3.11.3-1_BUILDING.txt.gz [Background information] - The Package description explains the package well - Upstream Name is nlohmann-json3 - Link to upstream project https://github.com/nlohmann/json - This package is a runtime dependency for libpisp which is an MIR candidate https://bugs.launchpad.net/ubuntu/+source/libpisp/+bug/2093321 ** Affects: nlohmann-json3 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2093868 Title: [MIR] nlohmann-json3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nlohmann-json3/+bug/2093868/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
