debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #04796
[Bug 2119257] [NEW] [MIR] rust-threecpio
Public bug reported:
[Availability]
The package rust-threecpio is already in Ubuntu universe.
The package rust-threecpio build for the architectures it is designed to work on.
The build for i386 should be enabled to have it on all architectures.
Link to package https://launchpad.net/ubuntu/+source/rust-threecpio
[Rationale]
- The package rust-threecpio is required in Ubuntu main for cpio archive
handling for initrds.
- The package rust-threecpio will generally be useful for a large part of
our user base
- Package rust-threecpio covers the same use case as GNU cpio, but is better
because 3cpio is written in Rust, thereby we want to replace it.
- 3cpio only support the cpio format used for initrds, but generating initrd
is the only use case for GNU cpio to be in main.
- This is the first time package will be in main
- The binary packages 3cpio needs to be in main to provide the 3cpio command.
- All binary packages built by rust-threecpio need to be in main (it only builds 3cpio)
- It would be great and useful to community/processes to have the
package 3cpio in Ubuntu main this cycle, but there is no definitive deadline.
[Security]
- No CVEs/security issues in this software in the past (since its birth in April 2024)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-threecpio (currently still in NEW)
- Upstream's bug tracker: https://github.com/bdrung/3cpio/issues
- The package has no important open bugs (only feature requests)
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
RULE: - The package must include a non-trivial test suite
RULE: - it should run at package build and fail the build if broken
- The package runs a test suite on build time, if it fails
it makes the build fail, https://launchpadlibrarian.net/808547820/buildlog_ubuntu-questing-amd64.rust-threecpio_0.8.1-0ubuntu1_BUILDING.txt.gz
- The package does not run an autopkgtest because I haven't figured out how to run the usptream tests in autopkgtest (examples of how other Rust packages do it are welcome)
- The package does have not failing autopkgtests right now
- Once we switch from cpio to 3cpio, 3cpio will be used/tested by the initramfs-tools and dracut autopkgtest.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Lintian overrides are not present
lintian output of a local build of 0.8.1-0ubuntu1:
W: rust-threecpio source: unknown-field Vendored-Sources-Rust
I: rust-threecpio source: adopted-extended-field (in section for 3cpio) XB-X-Cargo-Built-Using [debian/control:33]
I: rust-threecpio source: adopted-extended-field (in section for source) XSBC-Original-Maintainer [debian/control:17]
I: 3cpio: file-references-package-build-path [usr/bin/3cpio]
I: 3cpio: hardening-no-fortify-functions [usr/bin/3cpio]
P: rust-threecpio source: package-does-not-install-examples [debian/rust-vendor/lexopt/examples/]
X: rust-threecpio source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: rust-threecpio source: prefer-uscan-symlink filenamemangle s/.*\/(.*)\/download/threecpio-$1\.tar\.gz/g [debian/watch:4]
X: rust-threecpio source: update-debian-copyright 2024 vs 2025 [debian/copyright:26]
X: rust-threecpio source: upstream-metadata-file-is-missing
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/rust-
threecpio/tree/debian/rules
[UI standards]
- Application is not really end-user facing (does not need translation)
[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate
all dependencies or recommends are in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be debcrafters-packages (since cpio is maintained by
debcrafters-packages) and I have their acknowledgment for that commitment
- The future owning team is already subscribed to the package
- The team debcrafters is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team debcrafters is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the package (at /usr/share/doc/3cpio/Cargo.lock - might be
compressed), "cargo vendor debian/rust-vendor/" is used for updating
- This package is rust based and vendors all non language-runtime
dependencies
- The 3cpio kept its dependency list short for easier maintenance.
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-threecpio/0.8.1-0ubuntu1
[Background information]
The Package description explains the package well
Upstream Name is 3cpio
Link to upstream project: https://github.com/bdrung/3cpio
The upstream README.md contains more information
dracut-core, initramfs-tools-core, live-build, microcode-initrd, and
ubuntu-standard depend on cpio. The plan is to change those tools to use
3cpio. The code for initramfs-tools is already written:
https://salsa.debian.org/kernel-team/initramfs-
tools/-/merge_requests/172. Code for dracut is pending. Changing
microcode-initrd will be simple.
** Affects: rust-threecpio (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to rust-threecpio in Ubuntu.
Matching subscriptions: rust-threecpio
https://bugs.launchpad.net/bugs/2119257
Title:
[MIR] rust-threecpio
Status in rust-threecpio package in Ubuntu:
New
Bug description:
[Availability]
The package rust-threecpio is already in Ubuntu universe.
The package rust-threecpio build for the architectures it is designed to work on.
The build for i386 should be enabled to have it on all architectures.
Link to package https://launchpad.net/ubuntu/+source/rust-threecpio
[Rationale]
- The package rust-threecpio is required in Ubuntu main for cpio archive
handling for initrds.
- The package rust-threecpio will generally be useful for a large part of
our user base
- Package rust-threecpio covers the same use case as GNU cpio, but is better
because 3cpio is written in Rust, thereby we want to replace it.
- 3cpio only support the cpio format used for initrds, but generating initrd
is the only use case for GNU cpio to be in main.
- This is the first time package will be in main
- The binary packages 3cpio needs to be in main to provide the 3cpio command.
- All binary packages built by rust-threecpio need to be in main (it only builds 3cpio)
- It would be great and useful to community/processes to have the
package 3cpio in Ubuntu main this cycle, but there is no definitive deadline.
[Security]
- No CVEs/security issues in this software in the past (since its birth in April 2024)
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rust-threecpio (currently still in NEW)
- Upstream's bug tracker: https://github.com/bdrung/3cpio/issues
- The package has no important open bugs (only feature requests)
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
RULE: - The package must include a non-trivial test suite
RULE: - it should run at package build and fail the build if broken
- The package runs a test suite on build time, if it fails
it makes the build fail, https://launchpadlibrarian.net/808547820/buildlog_ubuntu-questing-amd64.rust-threecpio_0.8.1-0ubuntu1_BUILDING.txt.gz
- The package does not run an autopkgtest because I haven't figured out how to run the usptream tests in autopkgtest (examples of how other Rust packages do it are welcome)
- The package does have not failing autopkgtests right now
- Once we switch from cpio to 3cpio, 3cpio will be used/tested by the initramfs-tools and dracut autopkgtest.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Lintian overrides are not present
lintian output of a local build of 0.8.1-0ubuntu1:
W: rust-threecpio source: unknown-field Vendored-Sources-Rust
I: rust-threecpio source: adopted-extended-field (in section for 3cpio) XB-X-Cargo-Built-Using [debian/control:33]
I: rust-threecpio source: adopted-extended-field (in section for source) XSBC-Original-Maintainer [debian/control:17]
I: 3cpio: file-references-package-build-path [usr/bin/3cpio]
I: 3cpio: hardening-no-fortify-functions [usr/bin/3cpio]
P: rust-threecpio source: package-does-not-install-examples [debian/rust-vendor/lexopt/examples/]
X: rust-threecpio source: debian-watch-does-not-check-openpgp-signature [debian/watch]
X: rust-threecpio source: prefer-uscan-symlink filenamemangle s/.*\/(.*)\/download/threecpio-$1\.tar\.gz/g [debian/watch:4]
X: rust-threecpio source: update-debian-copyright 2024 vs 2025 [debian/copyright:26]
X: rust-threecpio source: upstream-metadata-file-is-missing
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will be installed by default, but does not ask debconf
questions higher than medium
- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/rust-
threecpio/tree/debian/rules
[UI standards]
- Application is not really end-user facing (does not need translation)
[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate
all dependencies or recommends are in main.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be debcrafters-packages (since cpio is maintained by
debcrafters-packages) and I have their acknowledgment for that commitment
- The future owning team is already subscribed to the package
- The team debcrafters is aware of the implications by a static build and
commits to test no-change-rebuilds and to fix any issues found for the
lifetime of the release (including ESM)
- The team debcrafters is aware of the implications of vendored code and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime
of the release (including ESM).
- This package uses vendored rust code tracked in Cargo.lock as shipped,
in the package (at /usr/share/doc/3cpio/Cargo.lock - might be
compressed), "cargo vendor debian/rust-vendor/" is used for updating
- This package is rust based and vendors all non language-runtime
dependencies
- The 3cpio kept its dependency list short for easier maintenance.
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/rust-threecpio/0.8.1-0ubuntu1
[Background information]
The Package description explains the package well
Upstream Name is 3cpio
Link to upstream project: https://github.com/bdrung/3cpio
The upstream README.md contains more information
dracut-core, initramfs-tools-core, live-build, microcode-initrd, and
ubuntu-standard depend on cpio. The plan is to change those tools to
use 3cpio. The code for initramfs-tools is already written:
https://salsa.debian.org/kernel-team/initramfs-
tools/-/merge_requests/172. Code for dracut is pending. Changing
microcode-initrd will be simple.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-threecpio/+bug/2119257/+subscriptions