Ubuntu
log4cplus package

[MIR] promote log4cplus to main as a isc-kea dependency

Bug #2003549 reported by Athos Ribeiro
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
log4cplus (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
- The package log4cplus is already in Ubuntu universe.
- The package log4cplus build for the architectures it is designed to work on.
- It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, riscv64, and s390x
- Link to package: https://launchpad.net/ubuntu/+source/log4cplus

[Rationale]
- The package log4cplus is required in Ubuntu main as a dependency of isc-kea, which is being promoted as part of LP: #2002861.
- The package log4cplus will generally be useful for a large part of our user base as an isc-kea dependency.
- The package log4cplus is required in Ubuntu main no before or along with the isc-kea promotion, whose time constraints are described in LP: #2002861.

[Security]
- No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
- The package works well right after install (it is a library)

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/log4cplus/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=log4cplus
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails it makes the build fail, link to build log: https://launchpadlibrarian.net/632298606/buildlog_ubuntu-lunar-amd64.log4cplus_2.0.8-1_BUILDING.txt.gz
- The package does not run an autopkgtest because it only provides a runtime library. The server team will work into having the package to run its test suite againts the installed package with autopkgtest.

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package: https://launchpadlibrarian.net/640214388/buildlog_ubuntu-lunar-amd64.log4cplus_2.0.8-1_BUILDING.txt.gz
- Lintian overrides are present, but ok because they are well documented and are addressing false positives.
- A full output from `lintian --pedantic` is available as a comment in this MIR bug.
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default.
- Packaging and build is easy, link to d/rules: https://git.launchpad.net/ubuntu/+source/log4cplus/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The server team is not yet, but will subscribe to the package before promotion
- This does not use static builds
- Vendored source code for the catch package is removed during the package cleaning phase. Moreoverthe m4 directory contains macros extracted from autoconf.
- This package is not rust based
- The package successfully built during the most recent test rebuild: https://launchpad.net/ubuntu/+archive/test-rebuild-20221215-lunar-normal/+sourcepub/14223782/+listing-archive-extra

[Background information]
- The Package description explains the package well
- Upstream Name is log4cplus
- Link to upstream project: https://sourceforge.net/p/log4cplus/wiki/Home/

See original description

Related branches

~athos-ribeiro/ubuntu/+source/log4cplus:add-symbols
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Diff: 1218 lines (+1110/-4)
15 files modified
debian/changelog (+11/-0)
debian/control (+2/-1)
debian/export-map.ld (+9/-0)
debian/liblog4cplus-2.0.5.lintian-overrides (+0/-2)
debian/liblog4cplus-2.0.5.symbols (+807/-0)
debian/liblog4cplus-2.0.5.symbols.optional (+91/-0)
debian/rules (+2/-1)
debian/tests/control (+2/-0)
debian/tests/examples/hello.cpp (+19/-0)
debian/tests/examples/hello.expected (+1/-0)
debian/tests/examples/loglevel.cpp (+55/-0)
debian/tests/examples/loglevel.expected (+33/-0)
debian/tests/examples/macros.cpp (+47/-0)
debian/tests/examples/macros.expected (+14/-0)
debian/tests/run-examples (+17/-0)
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

`lintian --pedantic` output:

Running lintian...
W: log4cplus source: orig-tarball-missing-upstream-signature log4cplus_2.0.8.orig.tar.xz
P: log4cplus source: very-long-line-length-in-source-file 1055 > 512 [Makefile.in:1601]
P: log4cplus source: very-long-line-length-in-source-file 598 > 512 [catch/docs/slow-compiles.md:24]
P: log4cplus source: very-long-line-length-in-source-file 603 > 512 [catch/docs/test-cases-and-sections.md:45]
P: log4cplus source: very-long-line-length-in-source-file 645 > 512 [catch/include/internal/catch_preprocessor.hpp:229]
P: log4cplus source: very-long-line-length-in-source-file 645 > 512 [catch/single_include/catch2/catch.hpp:907]
P: log4cplus source: very-long-line-length-in-source-file 726 > 512 [catch/docs/tutorial.md:118]

description: updated
description: updated
Christian Ehrhardt  (paelzer)
Changed in log4cplus (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote :
Download full text (4.9 KiB)

Review for Package: src:log4cplus

[Summary]
A logging library for C++, there seem to be more popular libraries out
there, but none is in "main" so far and isc-kea is using this.
Packaging needs to improve wrt. symbols tracking (and demangeling) and
integration testing (autopkgtest).

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does not need a security review

List of specific binary packages to be promoted to main: liblog4cplus-2.0.8
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
- Upstream is running a CI for testing.
- embedded "threadpool/" code is minimal and not available in Ubuntu
- embedded "catch/" code is being removed before build and "catch" from
  the archive is being used instead
- loggingserver can open a socket, but is not being installed as part
  of the package

Required TODOs:
#1 please add symbols tracking capabilities (see "Packaging red flags")
#2 please add autopkgtests (as mentioned in the bug description)

Recommended TODOs:
#3 The package should get a team bug subscriber before being promoted
#4 Build-time warnings, mostly about generating the API docs, see below

[Duplication]
I cannot find any other relevant logging library for C++ in main, using:
$ apt list "?not(?section(/))" | grep log

According to https://cpp.libhunt.com/log4cplus-alternatives there seem
to be some more popular alternatives, like "src:spdlog" or
"src:google-glog" but those are in universe and we're not requesting
isc-kea to change its logging backend.

There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems:
- embedded source present:
=> embedded catch/ library (for testing, deleted during build, see d/clean)
=> embedded threadpool/ implementation (minimal, not in the archive)

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not integrate arbitrary javascript into the desktop (via -docs)
- does not process arbitrary web content
- does not use centralized online accounts
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal wi...

Read more...

Changed in log4cplus (Ubuntu):
status: New → Incomplete
assignee: Lukas Märdian (slyon) → nobody
Lukas Märdian (slyon)
Changed in log4cplus (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/log4cplus/+git/log4cplus/+merge/437047 is being reviewed by Andreas Hasenack. As soon as I get a +1 there, I will upload the package, which fixes both required TODOs.

The upload should not be affected by the current feature freeze, since it is only adding dep8 tests and a symbols file.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Waiting for an approval on the FFe request so we can upload the changes for this one https://bugs.launchpad.net/ubuntu/+source/log4cplus/+bug/2008730

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This has migrated. Both required TODOs have been addressed now.

Changed in log4cplus (Ubuntu):
status: Incomplete → New
Athos Ribeiro (athos-ribeiro)
Changed in log4cplus (Ubuntu):
assignee: Athos Ribeiro (athos-ribeiro) → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote :

Thanks, LGTM. MIR ACK.

You can start pulling it into "main" after adding a team bug subscriber to the package (~ubuntu-server).

Changed in log4cplus (Ubuntu):
status: New → In Progress
assignee: Lukas Märdian (slyon) → nobody
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Thanks Lukas.

I subscribed the server team to the package. I will now wait for the isc-kea MIR so this gets pulled into main as its dependency.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Agreed in the MIR meeting, pull it in via isc-kea (bug 2002861) and then ping and subscribe AAs to do the promotion of kea and this.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

@ubuntu-archive: please promote isc-kea and log4cplus as per LP: #2002861 and LP: #2003549

Lukas Märdian (slyon)
Changed in log4cplus (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

Override component to main
log4cplus 2.0.8-1ubuntu1 in lunar: universe/libs -> main
liblog4cplus-2.0.5 2.0.8-1ubuntu1 in lunar amd64: universe/libs/optional/100% -> main
liblog4cplus-2.0.5 2.0.8-1ubuntu1 in lunar arm64: universe/libs/optional/100% -> main
liblog4cplus-2.0.5 2.0.8-1ubuntu1 in lunar armhf: universe/libs/optional/100% -> main
liblog4cplus-2.0.5 2.0.8-1ubuntu1 in lunar ppc64el: universe/libs/optional/100% -> main
liblog4cplus-2.0.5 2.0.8-1ubuntu1 in lunar riscv64: universe/libs/optional/100% -> main
liblog4cplus-2.0.5 2.0.8-1ubuntu1 in lunar s390x: universe/libs/optional/100% -> main
liblog4cplus-dev 2.0.8-1ubuntu1 in lunar amd64: universe/libdevel/extra/100% -> main
liblog4cplus-dev 2.0.8-1ubuntu1 in lunar arm64: universe/libdevel/extra/100% -> main
liblog4cplus-dev 2.0.8-1ubuntu1 in lunar armhf: universe/libdevel/extra/100% -> main
liblog4cplus-dev 2.0.8-1ubuntu1 in lunar ppc64el: universe/libdevel/extra/100% -> main
liblog4cplus-dev 2.0.8-1ubuntu1 in lunar riscv64: universe/libdevel/extra/100% -> main
liblog4cplus-dev 2.0.8-1ubuntu1 in lunar s390x: universe/libdevel/extra/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar amd64: universe/doc/optional/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar arm64: universe/doc/optional/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar armhf: universe/doc/optional/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar i386: universe/doc/optional/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar ppc64el: universe/doc/optional/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar riscv64: universe/doc/optional/100% -> main
liblog4cplus-doc 2.0.8-1ubuntu1 in lunar s390x: universe/doc/optional/100% -> main
Override [y|N]? y
20 publications overridden.

Changed in log4cplus (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.