** Changed in: brotli (Ubuntu)
Assignee: Canonical Security Team (canonical-security) => Ubuntu Security
Team (ubuntu-security)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to brotli in Ubuntu.
https://bugs.launchpad.net/bugs/1737053
Title:
[MIR] brotli
Status in brotli package in Ubuntu:
New
Bug description:
Availability
============
Built for all supported architectures. In sync with Debian.
Rationale
=========
brotli is a file compression format and library developed and maintained by
Google. brotli is required by the WOFF 2.0 format for compressed web fonts.
brotli and woff2 are libraries that are technically already in main because
they are bundled in Firefox and webkit2gtk.
The next major stable release of webkit2gtk, 2.20, will be released in March.
It drops those 2 bundled libraries. I think our options are basically
1) Bundle those libraries anyway, or
2) Approve this MIR, or
3) Drop support for the WOFF2 format in webkit2gtk
Security
========
brotli is a security-sensitive library.
There was one security bug fixed recently for xenial (LP: #1737364)
https://security-tracker.debian.org/tracker/source-package/brotli
https://launchpad.net/ubuntu/+source/brotli/+cve
Quality assurance
=================
- Ubuntu Desktop Bugs is subscribed.
- dh_auto_test runs upstream build tests. Test failure would fail the build.
- New autopkgtests pass on all arches:
http://autopkgtest.ubuntu.com/packages/b/brotli
https://ci.debian.net/packages/b/brotli/
https://bugs.launchpad.net/ubuntu/+source/brotli
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=brotli
https://github.com/google/brotli/issues
Dependencies
============
No universe binary dependencies
Standards compliance
====================
4.1.1, debhelper compat 10, dh7 simple rules
Maintenance
===========
Actively maintained:
https://github.com/google/brotli
Not team maintained in Debian.
https://tracker.debian.org/pkg/brotli
Other Info
==========
webkit2gtk is managed similar to Firefox and Chromium. So far, new releases
are pushed to Ubuntu 16.04 LTS and newer as security updates, but the Ubuntu
Security Team does not guarantee security support for webkit2gtk.
The woff2 MIR is LP: #1742743
We are going to need to backport brotli and woff2 into main as
security updates for 16.04 LTS and 17.10. The new version of brotli
adds new binary packages (in particular, the C library needed by woff2
and webkit2gtk).
brotli has no reverse dependencies in 16.04 and 17.10. (fonttools is a
reverse-dependency in 18.04.)
brotli has a bizarre build system.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/brotli/+bug/1737053/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
