[MIR] libwebm (transitive dependency of libheif)[libheif -> aom -> libwebm]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libwebm (Debian) |
Fix Released
|
Unknown
|
|||
libwebm (Ubuntu) |
In Progress
|
Undecided
|
Unassigned |
Bug Description
[Availability]
- The package libwebm is already in Ubuntu universe.
- The package libwebm does not build for the architectures
it is designed to work on.
- It currently builds and works for architectures:
amd64 arm64 armhf i386 ppc64el riscv64
It currently fails build unit tests for: s390x
https:/
Link to package https:/
[Rationale]
- The package libwebm will not generally be useful for a large part of
our user base, but is important/helpful still because it is vendored
in aom package that we intend to support as a dependency of libheif.
- It would be great and useful to community/processes to have the
package libwebm in Ubuntu main, but there is no definitive deadline.
[Security]
- Had 6 security issues in the past
- https:/
- https:/
- https:/
- https:/
- https:/
- https:/
No CVEs open against current version (1.0.0.29-1).
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does contain extensions to security-sensitive software:
the package provides WebM parser which processes untrusted input
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https:/
- Debian https:/
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log
https:/
- The package does not run an autopkgtest because it is not implemented
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package
https:/
- Please attach the full output you have got from
`lintian --pedantic` as an extra post to this bug.
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to d/rules:
https:/
Note: currently rules list individual test suites to run. Finding them
by a file name suffix will reduce maintenance effort.
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications without desktop file, not needed because it does not
provide GUI
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
Note: build time dependencies on libgmock-dev and libgtest-dev are present.
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be Foundations Team
- Team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package failed built during the most recent test rebuild:
https:/
[Background information]
The Package description explains the package well
Upstream Name is libwebm
Link to upstream project https:/
Related branches
- Canonical Server MOTU reviewers: Pending requested
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 121 lines (+87/-1)4 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/0004-add-public-headers.patch (+77/-0)
debian/patches/series (+1/-0)
Changed in libwebm (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
tags: | added: sec-1804 |
Changed in libwebm (Debian): | |
status: | Unknown → Incomplete |
summary: |
- [MIR] libwebm (transitive dependency of libheif) + [MIR] libwebm (transitive dependency of libheif)[libheif -> aom -> + libwebm] |
Changed in libwebm (Debian): | |
status: | Incomplete → Fix Released |
It seems that the recommended way to use libwebm is to bundle it[1].
Debian provides libwebm package, but I believe would be reluctant to add headers to make it usable as a dependency[2].
Currently following packages in Debian are bundling libwebm: firefox, qt6-webengine, aom, firefox-esr, libvpx, scummvm, qtwebengine- opensource- src, godot, thunderbird, chromium, sludge [3].
Should we decide to keep bundling it, then all of those packages will require security releases for CVEs. Should we decide to use it as a shared library, we are facing potential dependency rebuilds on the each new version.
The library API/implementation have not had major changes recently, but we should not rule out possibility when all of the packages above rely on the different versions of the bundled library and switching to them to the libwebm package will require patches or will introduce unintended bugs.
[1] https:/ /groups. google. com/a/webmproje ct.org/ g/webm- discuss/ c/7ztiZTH8xBA/ m/ahIbZOIiN3gJ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 1030890 /codesearch. debian. net/search? q=mkvparser& literal= 1&page= 2&perpkg= 1
[2] https:/
[3] https:/