debcrafters-packages team mailing list archive

Thread
Date
[Bug 2113961] Re: [MIR] util-linux

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Skia <2113961@xxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Jun 2025 15:15:35 -0000
Reply-to: Bug 2113961 <2113961@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Summary changed:

- [MIR] liblastlog2-2
+ [MIR] util-linux

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/2113961

Title:
  [MIR] util-linux

Status in util-linux package in Ubuntu:
  New

Bug description:
  [Availability]
  The package src:util-linux is already in Ubuntu main.
  The package src:util-linux build for the architectures it is designed to work on.
  It currently builds and works for architectures: amd64, arm64, armhf, i386, ppc64el, riscv64, s390x
  Link to package https://launchpad.net/ubuntu/+source/util-linux

  [Rationale]

  See previous rational below for what actually sparked this MIR.
  Now that `bin:liblastlog2-2` has been promoted and everything is unblocked, the
  rationale becomes as simple as an ask for a re-review for one of the `Essential`
  packages, shipping, among other things, a few `suid` binaries in absolutely
  every form Ubuntu can take.
  https://canonical-ubuntu-project.readthedocs-hosted.com/MIR/mir-rereview/#opt-in-re-review

  Original rationale:
  Okay, it seems the MIR template doesn't apply well for this use-case, because
  it more or less assumes that the MIR is about a source package that is currently
  in universe. In the current situation, only an existing binary package needs to be
  promoted, from a source package already in main. I'll do my best to adapt the
  template and provide a good rational.

  - bin:liblastlog2-2 is provided by src:util-linux, and was already there in
    plucky/universe.
  - The package src:util-linux is generally useful for a large part of
    our user base: it provides the bin:util-linux package, that is even flagged as
    `Essential: yes`.
    This is the package providing, among many other things, the `su`, `fsck`,
    `flock`, or `mkswap` binaries, all mostly essential to any system (random
    selection of important commands to give a quick example).
  - The package bin:liblastlog2-2 is a new runtime dependency of package
    bin:util-linux that we already support.
  - The binary packages liblastlog2-2 needs to be in main to have the latest merge
    of util-linux migrate from questing-proposed to questing.
  - All other binary packages currently in universe built by src:util-linux should
    remain in universe.
  - The package bin:liblastlog2-2 is required in Ubuntu main no later than
    somewhere in July due to some partners requiring patches to be SRU'd to Noble,
    and thus needing the package to migrate from -proposed (even though it's not a
    hard block from the SRU team, according to what I've red on Matrix recently).

  [Security]
  - Obviously, util-linux has had some security issues in the past (although not
    that much):
    - https://ubuntu.com/security/cves?package=util-linux
    - https://security-tracker.debian.org/tracker/source-package/util-linux
  - Those issues seems to be handled correctly in both Ubuntu and Debian:
    - https://ubuntu.com/security/CVE-2024-28085
    - https://security-tracker.debian.org/tracker/CVE-2024-28085
    - https://security-tracker.debian.org/tracker/CVE-2021-37600

  - There are countless binaries in sbin, but I'm fairly confident taking them out
    is a big plan of its own to still have a working system.
  - There are just a couple systemd units:
    - fstrim.{service,timer}: Discard unused filesystem blocks once a week
    - lastlog2-import.service: Import lastlog data into lastlog2 database - run
      only once in some particular situations to handle a data migration

  - About common isolation/risk-mitigation:
    - I'm not sure anything in util-linux is opening privileged ports.
    - I know some binaries are dropping privileges.
    - Going much further on that topic would be a full audit, for which I
      unfortunately don't really have time and competency for. I hope that's okay.

  - Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/util-linux/+bugs?orderby=-importance&start=0
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=util-linux
    - Upstream https://github.com/util-linux/util-linux/issues
    - Obviously this package has tons of bugs opened, but at the same time, it has
      a lot of activity, and is well maintained upstream, in Debian, and in
      Ubuntu, just because of its central position in any Linux system.
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails
    it makes the build fail, link to build log TBD
  - The package runs an autopkgtest, and is currently passing on
    all architectures but i386: https://autopkgtest.ubuntu.com/packages/util-linux
  - The package does have not failing autopkgtests right now

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field

  - This package does not yield massive lintian Warnings, Errors
  - Recent build: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2/+build/30908305
  - Lintian overrides are present, but ok because most are well commented, and the rest is pretty obvious, like highly privileged binaries.

  - This package does not rely on obsolete or about to be demoted
  packages.

  - The package will be installed by default, but does not ask debconf
    questions higher than medium

  - Packaging is quite complex, but I'm not sure how much of a choice we have.
    Good thing is that this package is equally important in Debian, so it will very
    likely keep being maintained.

  [UI standards]
  - Application is end-user facing, Translation is present, via standard
    intltool/gettext. See `configure` for `libintl` and `gettext`.

  - End-user applications without desktop file, not needed because it only ships
  CLI tools.

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy.

  [Maintenance/Owner]
  - The owning team will be debcrafters-packages and I have their acknowledgement for
    that commitment
  - The future owning team is already subscribed to the package.

  - This does not use static builds.
  - This does not use vendored code
  - This package is not rust based

  - The package has been built within the last 3 months in the archive
  - Build link on launchpad: https://launchpad.net/ubuntu/+source/util-linux/2.41-4ubuntu2

  [Background information]
  The Package description explains the package well
  Upstream Name is `util-linux`
  Link to upstream project: https://github.com/util-linux/util-linux/

  This package has been in main since the very early beginning of Ubuntu, so never
  got the chance to get a proper MIR.
  This was sparked when the `bin:util-linux` has started to depend on
  `bin:liblastlog2-2`, which was in Universe. `liblastlog2-2` was nicely
  handled by @paelzer under the "Renamed or re-organized sources" condition.
  This MIR still makes sense to me, given that `util-linux` provides many
  very important binaries, among which many of them are `suid`, and is one the
  `Essential` packages shipped in absolutely every form Ubuntu can take.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2113961/+subscriptions
References

[Bug 2113961] [NEW] [MIR] liblastlog2-2
From: Skia, 2025-06-11