I finished the vendoring and the test plan so this should be ready for review now.
** Description changed: [Availability] The package papers is already in Ubuntu universe. The package papers build for the architectures it is designed to work on. It currently builds and works for architectures: every Ubuntu release architecture except for i386 and armhf. armhf is not an Ubuntu Desktop architecture. There is a Rust toolchain issue on armhf affecting some apps like papers. Link to package https://launchpad.net/ubuntu/+source/papers [Rationale] There must be a certain level of demand for the package - - The package papers is required in Ubuntu main for + - The package papers is required in Ubuntu main because it is a better maintained alternative than evince which Ubuntu Desktop has included since the beginning. - The package papers will generally be useful for a large part of our user base - - Package papers covers the same use case as evince, but is better because it is much more actively maintained than evince and GNOME is switching from evince to papers, thereby we want to replace evince. + - Package papers covers the same use case as evince, but is better because it is much more actively maintained than evince and GNOME is switching from evince to papers and therefore we want to replace evince. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. - The binary package papers needs to be in main to achieve providing the best maintained and integrated standalone PDF viewer in Ubuntu - The package papers is required in Ubuntu main for Ubuntu 25.04. Obviously it won't make it in before Feature Freeze so we'll file a Feature Freeze Exception later. [Security] - Had multiple security issues in the past https://security-tracker.debian.org/tracker/source-package/evince https://ubuntu.com/security/cve?package=evince I am linking to evince because papers is a fork of evince. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: + apparmor profile copied from evince - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints - Packages does not contain extensions to security-sensitive software Papers is expected to be able to frequently parse and view untrusted PDFs, although poppler is the library that should be doing most of that work. [Quality assurance - function/usage] - The package works well right after install [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs + Ubuntu https://bugs.launchpad.net/ubuntu/+source/papers + Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=papers + Upstream https://gitlab.gnome.org/GNOME/Incubator/papers/-/issues - The package does not deal with exotic hardware we cannot support [Quality assurance - testing] - The package does not run a test at build time because the app is a GUI frontend for poppler. There aren't mature frameworks for testing GTK4 apps. - The package runs an autopkgtest, and is currently passing on all architectures it is built for (all Ubuntu architectures except for i386 and armhf) https://autopkgtest.ubuntu.com/packages/papers - The package does have not failing autopkgtests right now - The package can not be well tested at build or autopkgtest time because it is a GUI PDF app. To make up for that, we created a manual test plan https://wiki.ubuntu.com/DesktopTeam/TestPlans/Papers We will execute that test plan on-uploads regularly (for every SRU and when uploading new major versions to the Ubuntu development release) [Quality assurance - packaging] - debian/watch is present and works - debian/control defines a correct Maintainer field - This package does not yield massive lintian Warnings, Errors - Please link to a recent build log of the package https://launchpad.net/ubuntu/+source/papers/48~beta-3ubuntu1 - Please attach the full output you have got from `lintian --pedantic` as an extra post to this bug. - Lintian overrides are not present - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies - The package will be installed by default, but does not ask debconf questions - Packaging and build is easy, link to debian/rules https://salsa.debian.org/ubuntu-dev-team/papers/-/blob/ubuntu/latest/debian/rules [UI standards] - Application is end-user facing, Translation is present, via standard intltool/gettext or similar build and runtime internationalization system - End-user application that ships a standard conformant desktop file [Dependencies] - No further depends or recommends dependencies that are not yet in main [Standards compliance] - This package correctly follows FHS and Debian Policy [Maintenance/Owner] - The owning team will be Desktop Packages and I have their acknowledgement for that commitment - The future owning team is not yet subscribed, but will subscribe to the package before promotion - The team Ubuntu Desktop is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM) - The team Ubuntu Desktop is aware of the implications of vendored code and (as alerted by the security team) commits to provide updates and backports to the security team for any affected vendored code for the lifetime of the release (including ESM). - This package uses vendored rust code tracked in Cargo.lock, refreshing that code is outlined in debian/README.source NOTE: The MIR documentation says that Cargo.lock was expected to be shipped with the package. Is that something we need or is that handled by the XS-Vendored-Sources-Rust field? - This package is rust based and vendors all non language-runtime dependencies - The package has been built within the last 3 months in the archive https://launchpad.net/ubuntu/+source/papers/48~beta-3ubuntu1 [Background information] The Package description explains the package well Upstream Name is Papers Link to upstream project https://gitlab.gnome.org/GNOME/Incubator/papers Papers was forked from Evince around May 2024. The Papers developers were frustrated that their efforts to improve Evince with merge requests to switch to GTK4 and switch some code from C to rust had been ignored for too long. After the fork, Evince has had minimal development, while Papers has had rapid development with a much larger pool of contributors. GNOME is expected to switch from Evince to Papers for GNOME Core for GNOME 49 (September 2025 release). The tracking bug for that is https://gitlab.gnome.org/Teams/Releng/AppOrganization/-/issues/24 Compared to Evince, these features have been removed: - support for DVI, PostScript and XPS formats. Evince had disabled support for Postscript by default after a security vulnerability years ago but Ubuntu and most distros overrode that behavior change. Microsoft abandoned XPS years ago. - screen reader support isn't working yet (because of the GTK4 port) but this is being worked on and Firefox is able to read PDFs well. Evince's screen reader support is awkward to use. This feature has been added: - menu item to digitally sign a document with certificates such as those present in the national ID for Spain. And some verification of signed documents. Evince or Papers also provides the Print Preview feature for the GTK print dialog. I attempted to use cargo-vendor-filterer but the build failed because there were a large number of required Rust crate dependencies that were excluded by cargo-vendor-filterer. This presents a burden not just for this MIR but for every major upload in the future. Assistance is requested by someone who has more experience with Rust crate dependencies to fix this issue. Maybe the Papers Cargo.toml files are insufficient for this use case and needs to specify more requirements explicitly. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2097727 Title: [MIR] papers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/papers/+bug/2097727/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
