debcrafters-packages team mailing list archive

Thread
Date
[Bug 2099086] Re: [MIR] tinysparql

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Ioanna Alifieraki <2099086@xxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Jul 2025 09:43:15 -0000
Reply-to: Bug 2099086 <2099086@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Changed in: tinysparql (Ubuntu)
     Assignee: Ioanna Alifieraki (joalif) => (unassigned)

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to tinysparql in Ubuntu.
https://bugs.launchpad.net/bugs/2099086

Title:
  [MIR] tinysparql

Status in tinysparql package in Ubuntu:
  Fix Released

Bug description:
  The Tracker developers have renamed Tracker to TinySPARQL. We have
  packaged the latest version with the source package tinysparql and
  will remove the source package tracker after tinysparql migrates out
  of plucky-proposed.

  This MIR should be processed along with the localsearch MIR LP:
  #2099160

  [Availability]
  The package tinysparql is already in Ubuntu universe.
  The package tinysparql build for the architectures it is designed to work on.
  It currently builds and works for all Ubuntu architectures except for i386
  Link to package https://launchpad.net/ubuntu/+source/tinysparql

  [Rationale]
  - The package tinysparql is required in Ubuntu main because it is GNOME's search indexer and is deeply integrated into nautilus.
  - The package tinysparql will generally be useful for a large part of our user base
  - The package tinysparql will not generally be useful for a large part of
  - The package tinysparql is a new runtime dependency of package nautilus that we already support
  - There is no other/better way to solve this that is already in main or should go universe->main instead of this.
  - The binary package tinysparql needs to be in main to achieve: the "tracker" name doesn't exist after the 3.7 series for GNOME 46. We want to use the supported "tinysparql" series instead.

  - The package tinysparql is required in Ubuntu main for Ubuntu 25.04.
  The package rename was uploaded to Ubuntu 25.04 before Feature Freeze.

  [Security]
  - No CVEs/security issues in this software in the past

  tracker-miners had a CVE (see LP: #2099160)

  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does install services, timers or recurring jobs

  systemd user service tinysparql-xdg-portal-3.service
  dbus service org.freedesktop.portal.Tracker.service

  - Security has been kept in mind and common isolation/risk-mitigation
  patterns are in place utilizing the following features:

  localsearch handles much of the indexing

  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints

  TODO: - Packages does not contain extensions to security-sensitive software
  TODO:   (filters, scanners, plugins, UI skins, ...)

  I'm not sure what those terms mean, but I consider this to be
  security-sensitive software.

  Out of an abundance of caution (and because it requires NPM stuff
  which is complex to build), I have removed the tinysparql web-ide
  feature from the Debian/Ubuntu packaging of tracker. This annoys
  upstream who would prefer to have it easily available for install
  https://gitlab.gnome.org/GNOME/tinysparql/-/issues/477

  GNOME provides this page for reporting security vulnerabilities in core GNOME components like tinysparql
  https://security.gnome.org/

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream. However, there are a lot of open Ubuntu bugs.
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/tracker
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=tracker
  - Upstream https://gitlab.gnome.org/GNOME/tinysparql/-/issues

  The Ubuntu Desktop team believes that tracker has significantly
  improved in performance in recent years, but still might misbehave. On
  the other hand, the localsearch sandbox has been so strict that it can
  take time for the sandbox to be adjusted upstream to account for
  changes in dependencies.

  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package runs a test suite on build time, if it fails it makes the build fail, link to build log
  https://launchpad.net/ubuntu/+source/tinysparql/3.8.2-3

  TODO-A: - The package runs an autopkgtest, and is currently passing on
  TODO-A:   this TBD list of architectures, link to test logs TBD

  https://autopkgtest.ubuntu.com/packages/tinysparql

  RULE: - existing but failing tests that shall be handled as "ok to fail"
  RULE:   need to be explained along the test logs below
  TODO-A: - The package does have not failing autopkgtests right now
  TODO-B: - The package does have failing autopkgtests tests right now, but since
  TODO-B:   they always failed they are handled as "ignored failure", this is
  TODO-B:   ok because TBD

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field

  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package
  https://launchpad.net/ubuntu/+source/tinysparql/3.8.2-3
  - Lintian overrides are not present

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
  questions

  - Packaging and build is easy, link to debian/rules
  https://salsa.debian.org/gnome-team/tinysparql/-/blob/debian/latest/debian/rules

  [UI standards]
  - Application is end-user facing, Translation is present, via standard intltool/gettext or similar build and runtime internationalization system

  - End-user applications without desktop file, not needed because it is
  more of a service than an app. However, it can be configured with
  gnome-control-center in the Search page.

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  except for the localsearch MIR LP: #2099160

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be Desktop Packages and I have their acknowledgement for that commitment
  TODO-A: - The future owning team is already subscribed to the package
  TODO-B: - The future owning team is not yet subscribed, but will subscribe to the package before promotion

  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based

  - The package has been built within the last 3 months in the archive
  - Build link on launchpad: https://launchpad.net/ubuntu/+source/tinysparql/3.8.2-3

  [Background information]
  The Package description explains the package well
  Upstream Name is tinysparql
  https://gitlab.gnome.org/GNOME/tinysparql

  Link to previous MIR LP: #1313996

  Ubuntu 25.04 ships tinysparql 3.8 (GNOME 47) because localsearch 3.9 (GNOME 48) switched to ffmpeg/libav (which are in Ubuntu universe) and the Ubuntu Desktop Team has not had time to evaluate the situation.
  https://gitlab.gnome.org/GNOME/localsearch/-/merge_requests/579

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tinysparql/+bug/2099086/+subscriptions