debcrafters-packages team mailing list archive

Thread
Date
[Bug 2119257] [NEW] [MIR] rust-threecpio

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Benjamin Drung <2119257@xxxxxxxxxxxxxxxxxx>
Date: Thu, 31 Jul 2025 22:24:36 -0000
Reply-to: Bug 2119257 <2119257@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

[Availability]

The package rust-threecpio is already in Ubuntu universe.
The package rust-threecpio build for the architectures it is designed to work on.
The build for i386 should be enabled to have it on all architectures.
Link to package https://launchpad.net/ubuntu/+source/rust-threecpio

[Rationale]

- The package rust-threecpio is required in Ubuntu main for cpio archive
  handling for initrds.
- The package rust-threecpio will generally be useful for a large part of
  our user base
- Package rust-threecpio covers the same use case as GNU cpio, but is better
  because 3cpio is written in Rust, thereby we want to replace it.
- 3cpio only support the cpio format used for initrds, but generating initrd
  is the only use case for GNU cpio to be in main.
- This is the first time package will be in main
- The binary packages 3cpio needs to be in main to provide the 3cpio command.
- All binary packages built by rust-threecpio need to be in main (it only builds 3cpio)

- It would be great and useful to community/processes to have the
  package 3cpio in Ubuntu main this cycle, but there is no definitive deadline.

[Security]
- No CVEs/security issues in this software in the past (since its birth in April 2024)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
  (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-threecpio (currently still in NEW)
  - Upstream's bug tracker: https://github.com/bdrung/3cpio/issues
- The package has no important open bugs (only feature requests)
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
RULE: - The package must include a non-trivial test suite
RULE:   - it should run at package build and fail the build if broken
- The package runs a test suite on build time, if it fails
  it makes the build fail, https://launchpadlibrarian.net/808547820/buildlog_ubuntu-questing-amd64.rust-threecpio_0.8.1-0ubuntu1_BUILDING.txt.gz

- The package does not run an autopkgtest because I haven't figured out how to run the usptream tests in autopkgtest (examples of how other Rust packages do it are welcome)
- The package does have not failing autopkgtests right now
- Once we switch from cpio to 3cpio, 3cpio will be used/tested by the initramfs-tools and dracut autopkgtest.

[Quality assurance - packaging]
- debian/watch is present and works

- debian/control defines a correct Maintainer field

- This package does not yield massive lintian Warnings, Errors
- Lintian overrides are not present

lintian output of a local build of 0.8.1-0ubuntu1:
W: rust-threecpio source: unknown-field Vendored-Sources-Rust
I: rust-threecpio source: adopted-extended-field (in section for 3cpio) XB-X-Cargo-Built-Using [debian/control:33]
I: rust-threecpio source: adopted-extended-field (in section for source) XSBC-Original-Maintainer [debian/control:17]
I: 3cpio: file-references-package-build-path [usr/bin/3cpio]
I: 3cpio: hardening-no-fortify-functions [usr/bin/3cpio]
P: rust-threecpio source: package-does-not-install-examples [debian/rust-vendor/lexopt/examples/]
X: rust-threecpio source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: rust-threecpio source: prefer-uscan-symlink filenamemangle s/.*\/(.*)\/download/threecpio-$1\.tar\.gz/g [debian/watch:4]
X: rust-threecpio source: update-debian-copyright 2024 vs 2025 [debian/copyright:26]
X: rust-threecpio source: upstream-metadata-file-is-missing

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf
  questions higher than medium

- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/rust-
threecpio/tree/debian/rules

[UI standards]
- Application is not really end-user facing (does not need translation)

[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate
  all dependencies or recommends are in main.

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be debcrafters-packages (since cpio is maintained by
  debcrafters-packages) and I have their acknowledgment for that commitment
- The future owning team is already subscribed to the package

- The team debcrafters is aware of the implications by a static build and
  commits to test no-change-rebuilds and to fix any issues found for the
  lifetime of the release (including ESM)

- The team debcrafters is aware of the implications of vendored code and (as
  alerted by the security team) commits to provide updates and backports
  to the security team for any affected vendored code for the lifetime
  of the release (including ESM).

- This package uses vendored rust code tracked in Cargo.lock as shipped,
  in the package (at /usr/share/doc/3cpio/Cargo.lock - might be
  compressed), "cargo vendor debian/rust-vendor/" is used for updating
- This package is rust based and vendors all non language-runtime
  dependencies
- The 3cpio kept its dependency list short for easier maintenance.

- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-threecpio/0.8.1-0ubuntu1

[Background information]
The Package description explains the package well
Upstream Name is 3cpio
Link to upstream project: https://github.com/bdrung/3cpio
The upstream README.md contains more information

dracut-core, initramfs-tools-core, live-build, microcode-initrd, and
ubuntu-standard depend on cpio. The plan is to change those tools to use
3cpio. The code for initramfs-tools is already written:
https://salsa.debian.org/kernel-team/initramfs-
tools/-/merge_requests/172. Code for dracut is pending. Changing
microcode-initrd will be simple.

** Affects: rust-threecpio (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to rust-threecpio in Ubuntu.
Matching subscriptions: rust-threecpio
https://bugs.launchpad.net/bugs/2119257

Title:
  [MIR] rust-threecpio

Status in rust-threecpio package in Ubuntu:
  New

Bug description:
  [Availability]

  The package rust-threecpio is already in Ubuntu universe.
  The package rust-threecpio build for the architectures it is designed to work on.
  The build for i386 should be enabled to have it on all architectures.
  Link to package https://launchpad.net/ubuntu/+source/rust-threecpio

  [Rationale]

  - The package rust-threecpio is required in Ubuntu main for cpio archive
    handling for initrds.
  - The package rust-threecpio will generally be useful for a large part of
    our user base
  - Package rust-threecpio covers the same use case as GNU cpio, but is better
    because 3cpio is written in Rust, thereby we want to replace it.
  - 3cpio only support the cpio format used for initrds, but generating initrd
    is the only use case for GNU cpio to be in main.
  - This is the first time package will be in main
  - The binary packages 3cpio needs to be in main to provide the 3cpio command.
  - All binary packages built by rust-threecpio need to be in main (it only builds 3cpio)

  - It would be great and useful to community/processes to have the
    package 3cpio in Ubuntu main this cycle, but there is no definitive deadline.

  [Security]
  - No CVEs/security issues in this software in the past (since its birth in April 2024)
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Packages does not open privileged ports (ports < 1024).
  - Package does not expose any external endpoints
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-threecpio (currently still in NEW)
    - Upstream's bug tracker: https://github.com/bdrung/3cpio/issues
  - The package has no important open bugs (only feature requests)
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  RULE: - The package must include a non-trivial test suite
  RULE:   - it should run at package build and fail the build if broken
  - The package runs a test suite on build time, if it fails
    it makes the build fail, https://launchpadlibrarian.net/808547820/buildlog_ubuntu-questing-amd64.rust-threecpio_0.8.1-0ubuntu1_BUILDING.txt.gz

  - The package does not run an autopkgtest because I haven't figured out how to run the usptream tests in autopkgtest (examples of how other Rust packages do it are welcome)
  - The package does have not failing autopkgtests right now
  - Once we switch from cpio to 3cpio, 3cpio will be used/tested by the initramfs-tools and dracut autopkgtest.

  [Quality assurance - packaging]
  - debian/watch is present and works

  - debian/control defines a correct Maintainer field

  - This package does not yield massive lintian Warnings, Errors
  - Lintian overrides are not present

  lintian output of a local build of 0.8.1-0ubuntu1:
  W: rust-threecpio source: unknown-field Vendored-Sources-Rust
  I: rust-threecpio source: adopted-extended-field (in section for 3cpio) XB-X-Cargo-Built-Using [debian/control:33]
  I: rust-threecpio source: adopted-extended-field (in section for source) XSBC-Original-Maintainer [debian/control:17]
  I: 3cpio: file-references-package-build-path [usr/bin/3cpio]
  I: 3cpio: hardening-no-fortify-functions [usr/bin/3cpio]
  P: rust-threecpio source: package-does-not-install-examples [debian/rust-vendor/lexopt/examples/]
  X: rust-threecpio source: debian-watch-does-not-check-openpgp-signature [debian/watch]
  X: rust-threecpio source: prefer-uscan-symlink filenamemangle s/.*\/(.*)\/download/threecpio-$1\.tar\.gz/g [debian/watch:4]
  X: rust-threecpio source: update-debian-copyright 2024 vs 2025 [debian/copyright:26]
  X: rust-threecpio source: upstream-metadata-file-is-missing

  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies

  - The package will be installed by default, but does not ask debconf
    questions higher than medium

  - Packaging and build is easy, link to debian/rules:
  https://git.launchpad.net/ubuntu/+source/rust-
  threecpio/tree/debian/rules

  [UI standards]
  - Application is not really end-user facing (does not need translation)

  [Dependencies]
  - Used check-mir from ubuntu-dev-tools to validate
    all dependencies or recommends are in main.

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be debcrafters-packages (since cpio is maintained by
    debcrafters-packages) and I have their acknowledgment for that commitment
  - The future owning team is already subscribed to the package

  - The team debcrafters is aware of the implications by a static build and
    commits to test no-change-rebuilds and to fix any issues found for the
    lifetime of the release (including ESM)

  - The team debcrafters is aware of the implications of vendored code and (as
    alerted by the security team) commits to provide updates and backports
    to the security team for any affected vendored code for the lifetime
    of the release (including ESM).

  - This package uses vendored rust code tracked in Cargo.lock as shipped,
    in the package (at /usr/share/doc/3cpio/Cargo.lock - might be
    compressed), "cargo vendor debian/rust-vendor/" is used for updating
  - This package is rust based and vendors all non language-runtime
    dependencies
  - The 3cpio kept its dependency list short for easier maintenance.

  - The package has been built within the last 3 months in the archive
  - Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-threecpio/0.8.1-0ubuntu1

  [Background information]
  The Package description explains the package well
  Upstream Name is 3cpio
  Link to upstream project: https://github.com/bdrung/3cpio
  The upstream README.md contains more information

  dracut-core, initramfs-tools-core, live-build, microcode-initrd, and
  ubuntu-standard depend on cpio. The plan is to change those tools to
  use 3cpio. The code for initramfs-tools is already written:
  https://salsa.debian.org/kernel-team/initramfs-
  tools/-/merge_requests/172. Code for dracut is pending. Changing
  microcode-initrd will be simple.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug/2119257/+subscriptions