[MIR] libdecor-0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libdecor-0 (Ubuntu) |
Fix Released
|
Undecided
|
Lukas Märdian |
Bug Description
MIR libdecor-0
Identified TODOs:
- update d/watch in Debian
[Availability]
The package libdecor-0 is already in Ubuntu universe.
The package libdecor-0 builds for the architectures it is designed to work on.
Link to package [[https:/
[Rationale]
- The package libdecor-0 will generally be useful for our user base as it helps
with window decorations in wayland environments which are becoming the common
way.
- The package libdecor-0 is a new runtime dependency of package libsdl2that
we already support
[Security]
- No CVEs/security issues in this software in the past (but also is rather new)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services
- Packages does not open privileged ports (ports < 1024)
[Quality assurance - function/usage]
- The package works well right after install (well it is a lib, but
the demo programs or e.g. qemu->libsdl-
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open (but again, it is rather new)
- Ubuntu https:/
- Debian https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test suite on build time, but it has
an autopkgtest defined
- The package runs an autopkgtest, and is currently passing on
all architectures, link to test logs:
https:/
These tests are simple (and therfore marked superficial) but given how small
and specialized it is there isn't much more that can be done on that level.
To make up for that (being a lib) it will be used and tested in higher levels
like more small tests in
https:/
and even higher in users of libsdl.
Testing therefore exists, but isn't perfect. Yet since it is a UI thing in
a small lib there is only so much one can do on this level in an automated
fashion on a non-screen test VM.
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present but imperfect, IMHO that can be fixed
- This package does not yield massive lintian Warnings, Errors
(only a few no manpage warnings for demo binaries)
- Link to recent build log including a lintian run https:/
- This package does not rely on obsolete or about to be demoted packages.
libwayland-
- The package will not be installed by default
- Packaging and build is easy, link to d/rules https:/
[UI standards]
- Application is end-user facing, but no translation is present.
The deal that makes this ok is that it is usually only surfacing via
decorations (visual, non text) and thereby does not need translations for
these.
- Not an End-user applications that needs a desktop file
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Desktop, this is a bit special as Server is driving the
MIR since the original dependency comes from qemu->libsdl2-
But the context is all desktop and this is the package that functionally
crosses the expertise to be present in the Desktop, not the server team.
Agreed via chat with seb128 on 2021-12-02
[12:37] <cpaelzer> Hi Desktop team, recently a componentmismatch from libsdl2 (already Desktop'ish but on server team because qemu needed it) to libdecor appeared
[12:37] <cpaelzer> i'm evaluating the case for https:/
[12:38] <cpaelzer> I'm tempted to want to MIR it in 22.04 - it is small, simple, has tests, ...
[12:38] <cpaelzer> but for me this is kind of crossing the line to Desktop experience being more important
[12:39] <cpaelzer> hence I wanted to ask if I could drive all of the MIR but Desktop-packagers would be ok to eventually (once promoted) subscribe to the package
[12:39] <cpaelzer> ken-vandine: seb128: ^^ ?
[12:52] <matterircd> Replaying since 2021-12-02 12:39:11
[12:52] <seb128> wfm, thanks for asking!
- Team is not yet subscribed, but will subscribe to the package before promotion
- This does not use static builds
[Background information]
The Package description explains the package well
Upstream Name is libdecor
Link to upstream project https:/
Changed in libdecor-0 (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
description: | updated |
Changed in libdecor-0 (Ubuntu): | |
assignee: | Christian Ehrhardt (paelzer) → nobody |
status: | Incomplete → New |
Changed in libdecor-0 (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
Review for Package: src:libdecor-0
[Summary]
This is a rather small and simple library to draw client side decorations on
wayland. Albeit being a pretty new project with only a single, initial release
so far, the codebase seems to be in good shape and properly maintained.
MIR team ACK
This does not need a security review
List of specific binary packages to be promoted to main: 0-plugin- 1-cairo, libdecor-0-dev
libdecor-0-0, libdecor-
Specific binary packages built, but NOT to be promoted to main:
libdecor-tests (not really needed in main)
Notes:
This package is in pretty good shape overall. As it is a pretty new library, we
should monitor the development initally, to make sure it is not being neglected.
It does not touch security critical things, and I guess we can skip security
review on this one.
Required TODOs:
- None
Recommended TODOs: Debian/ Ubuntu and make sure
- The package should get a team bug subscriber before being promoted (~desktop?)
- Improve debian/watch
- Work towards improved test coverage in the future
- Closely monitor the release cadence of Upstream/
this package doesn't get neglected
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- checked with check-mir
- not listed in seeded-in-ubuntu
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
Problems: None
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- if a non-trivial test on this level does not make sense (the lib alone
is only doing rather simple things), is the overall solution (app+libs)
extensively covered i.e. via end to end autopkgtest ? => it is covered in many
libsdl2 & libsdl2 user's autopkgtests
- no new python2 dependency
Problems:
- does NOT have a test suite that runs & fails the build
- autopkgtest is superficial
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok (if needed, e.g. non-native)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-dis...