Ubuntu
pkgconf package

[MIR] pkgconf, replacement for pkg-config

Bug #1998095 reported by Gianfranco Costamagna
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pkgconf (Debian)
Fix Released
Unknown
pkgconf (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Rationale: debian moved from pkg-config to new pkgconf version, providing same binary.

Availability: The package is already available in universe and building on all archs.

Rationale: needed for mostly every package in the archive.

Security, It's well maintained upstream, in Debian, and in Ubuntu. There are no known serious issues.

Only one CVE dated 2018
CVE-2018-1000221 pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerabilit ...

UI standards: n/a

Dependencies: atf-sh on i386 is needed to build.

Standards compliance: no known issues.

Maintenance: No known issues.

pkg-config had a long time standing Ubuntu delta, that is now dropped because pkgconf supports profiles and the multiarch lib location search is now default in Debian too.

CVE References

Gianfranco Costamagna (costamagnagianfranco)
Changed in pkgconf (Ubuntu):
assignee: nobody → MIR approval team (ubuntu-mir)
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Lukas Märdian (slyon) wrote :

Adding a bug task for pkg-config and rls-ll-incoming tag, to bring the package ownership question up for discussion with the Foundations team.

tags: added: fr-3063
tags: added: rls-ll-incoming
Changed in pkg-config (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Lukas Märdian (slyon)
Changed in pkgconf (Ubuntu):
assignee: MIR approval team (ubuntu-mir) → nobody
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

Foundations agreed to take care of pkgconf (as of #ubuntu-meeting 2022-12-08). So I'll subscribe ~foundations-bugs and we can move on with this MIR.

"vorlon> pkg-config will be a removal as soon as pkgconf is clear"

Christian Ehrhardt  (paelzer)
Changed in pkgconf (Ubuntu):
assignee: nobody → Ioanna Alifieraki (joalif)
Revision history for this message
Sebastien Bacher (seb128) wrote :

update-notifier fails to build in lunar-proposed now, the error has been reported upstream as a regression in august with no reaction since, https://github.com/pkgconf/pkgconf/issues/260
are we convinced it's a better alternative?

Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

I opened an rc bug in Debian for this issue: #1026216
and reverted that patch in Ubuntu.

Lukas Märdian (slyon)
tags: removed: rls-ll-incoming
Revision history for this message
Ioanna Alifieraki (joalif) wrote (last edit ):
Download full text (4.1 KiB)

Review for Package: pkgconf

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.
This does not need a security review
List of specific binary packages to be promoted to main: pkgconf, libpkgconf3, pkgconf-bin, libpkgconf-dev, pkg-config

Notes:

Please address/clarify the following :

Required TODOs:
1. Does it run autopkgtests ? There is a test suite in the sources which runs at build time,
   that could be also run as autopkg, but I do not see anything under
   https://autopkgtest.ubuntu.com/packages/pkgconf or pkgconf in
   https://autopkgtest.ubuntu.com/testlist#index-p

Recommended TODOs:
2. Debian has bumped version to 1.8.1. There is a very recent cve, CVE-2023-24056 :
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056
   This cve is addressed upstream
   (https://github.com/pkgconf/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059)
   and pull into debian in 1.8.1
   (https://salsa.debian.org/debian/pkgconf/-/commit/05e3a9175a07194da5d7b80b9aa1f2f639d37db0).
   It would be nice to either sync from debian or at least backport the cve fix.

3. The source package produces 5 binaries one of them being pkg-config, which iiuc is transitional
   package, can you please clarify if we need it in main too ?

- The package should get a team bug subscriber before being promoted

[Duplication]
pkgconf is a replacment for pkg-config, since debian moved to it.

[Dependencies]
OK
- no other Dependencies to MIR due to this
  - pkgconf checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- This does not need special HW for build or test
- no new python2 dependency

Problems:
- does it have a test suite that runs as autopkgte...

Read more...

Changed in pkgconf (Ubuntu):
status: Confirmed → Incomplete
assignee: Ioanna Alifieraki (joalif) → nobody
Bryce Harrington (bryce)
tags: added: update-excuses
Revision history for this message
Gianfranco Costamagna (costamagnagianfranco) wrote :

Required TODOs:
1. Does it run autopkgtests ? There is a test suite in the sources which runs at build time,

Done.

Recommended TODOs:
2. Debian has bumped version to 1.8.1. There is a very recent cve, CVE-2023-24056 :

Syncd.

3. The source package produces 5 binaries one of them being pkg-config, which iiuc is transitional
   package, can you please clarify if we need it in main too ?

$ reverse-depends -r lunar -b pkgconf |wc -l
83
$ reverse-depends -r lunar -b pkg-config |wc -l
3907

$ reverse-depends -r lunar -b pkg-config -c main |wc -l
606
$ reverse-depends -r lunar -b pkgconf -c main |wc -l
10

Unless we want to patch +600 main packages to switch to pkgconf instead of pkg-config I prefer to keep it (I don't know why pkgconf is not just providing pkg-config, probably to ensure people have smooth upgrades).

Maybe in some years from now, we can drop the transitional package and move to a Provides: one, or patch the Debian/Ubuntu archives to use the new naming.
For sure this is something that will eventually come from Debian I would say.

Changed in pkgconf (Ubuntu):
status: Incomplete → New
Bug Watch Updater (bug-watch-updater)
Changed in pkgconf (Debian):
status: Unknown → New
Revision history for this message
Ioanna Alifieraki (joalif) wrote :

Thanks Gianfrnaco, this is good to proceed with MIR.

Changed in pkgconf (Ubuntu):
status: New → In Progress
Jeremy Bícha (jbicha)
tags: added: lunar update-excuse
removed: update-excuses
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):

Looks like this is ready for promotion. I guess Foundations should do the seed change, in order to take ownership.

Asking for review from @vorlon: https://code.launchpad.net/~slyon/ubuntu-seeds/+git/platform/+merge/437267

Lukas Märdian (slyon)
no longer affects: pkg-config (Ubuntu)
Lukas Märdian (slyon)
Changed in pkgconf (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :
Download full text (3.3 KiB)

Override component to main
pkgconf 1.8.1-1ubuntu2 in lunar: universe/misc -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar amd64: universe/libdevel/optional/100% -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar arm64: universe/libdevel/optional/100% -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar armhf: universe/libdevel/optional/100% -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar i386: universe/libdevel/optional/100% -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar ppc64el: universe/libdevel/optional/100% -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar riscv64: universe/libdevel/optional/100% -> main
libpkgconf-dev 1.8.1-1ubuntu2 in lunar s390x: universe/libdevel/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar amd64: universe/libs/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar arm64: universe/libs/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar armhf: universe/libs/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar i386: universe/libs/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar ppc64el: universe/libs/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar riscv64: universe/libs/optional/100% -> main
libpkgconf3 1.8.1-1ubuntu2 in lunar s390x: universe/libs/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar amd64: main/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar arm64: main/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar armhf: main/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar i386: main/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar ppc64el: main/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar riscv64: main/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar s390x: main/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar amd64: universe/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar arm64: universe/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar armhf: universe/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar i386: universe/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar ppc64el: universe/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar riscv64: universe/devel/optional/100% -> main
pkgconf 1.8.1-1ubuntu2 in lunar s390x: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar amd64: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar arm64: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar armhf: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar i386: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar ppc64el: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar riscv64: universe/devel/optional/100% -> main
pkgconf-bin 1.8.1-1ubuntu2 in lunar s390x: universe/devel/optional/100% -> main
pkg-config 1.8.1-1ubuntu2 in lunar amd64 remained the same
pkg-config 1.8.1-1ubuntu2 in lunar arm64 remained the same
pkg-config 1.8.1-1ubuntu2 in lunar armhf remained the same
pkg-config 1.8.1-1ubuntu2 in lunar i386 remained the same
pkg-config 1.8.1-1ubuntu2 in lunar ppc64el remained the...

Read more...

Changed in pkgconf (Ubuntu):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in pkgconf (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.