** Description changed: [Availability] The package uwsgi is already in Ubuntu universe. The package uwsgi builds for the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, ppc64el, riscv64, s390x Link to package: https://launchpad.net/ubuntu/+source/uwsgi [Rationale] - The package uwsgi is required in Ubuntu main as a runtime dependency for - OpenStack services (keystone, nova, neutron, glance, cinder, - placement, ...) which are dropping mod_wsgi+apache2 in favour of - uwsgi-native deployment. Those service packages are already in main; - promoting uwsgi closes the gap. + OpenStack services (keystone, nova, neutron, glance, cinder, + placement, ...) which are dropping mod_wsgi+apache2 in favour of + uwsgi-native deployment. Those service packages are already in main; + promoting uwsgi closes the gap. - The package is useful to a large part of the server user base - (OpenStack consumers, plus general Python/PSGI/Rack web-app hosting). + (OpenStack consumers, plus general Python/PSGI/Rack web-app hosting). - No better alternative already in main: mod_wsgi is being removed by - upstream OpenStack, and gunicorn/mod_proxy_uwsgi do not cover the - full Emperor/process-management/protocol surface OpenStack relies on. + upstream OpenStack, and gunicorn/mod_proxy_uwsgi do not cover the + full Emperor/process-management/protocol surface OpenStack relies on. - This is the first time src:uwsgi will be in main. - Binary packages needed in main: uwsgi-core, uwsgi, uwsgi-emperor. - All other binaries built by src:uwsgi (uwsgi-dev, uwsgi-src, - uwsgi-extra, uwsgi-plugin-*) remain in universe. + All other binaries built by src:uwsgi (uwsgi-dev, uwsgi-src, + uwsgi-extra, uwsgi-plugin-*) remain in universe. - Required no later than the 26.10 release so OpenStack 2026.2 - can ship with a supported uwsgi-native deployment path. + can ship with a supported uwsgi-native deployment path. [Security] - 5 historical CVEs (as of 2026-04-21): CVE-2018-6758 and CVE-2018-7490 - fixed upstream and in Debian/Ubuntu; CVE-2020-11984, CVE-2021-36160 - and CVE-2024-24795 are Apache httpd mod_proxy_uwsgi issues, not - affecting current Ubuntu uwsgi (the apache module moved to - src:apache2 after 2.0.15-11). - - Ubuntu tracker: https://ubuntu.com/security/cves?package=uwsgi - - Debian tracker: https://security-tracker.debian.org/tracker/source-package/uwsgi + fixed upstream and in Debian/Ubuntu; CVE-2020-11984, CVE-2021-36160 + and CVE-2024-24795 are Apache httpd mod_proxy_uwsgi issues, not + affecting current Ubuntu uwsgi (the apache module moved to + src:apache2 after 2.0.15-11). + - Ubuntu tracker: https://ubuntu.com/security/cves?package=uwsgi + - Debian tracker: https://security-tracker.debian.org/tracker/source-package/uwsgi - No suid/sgid binaries; no executables in /sbin or /usr/sbin. - Ships init.d scripts and systemd units for uwsgi and uwsgi-emperor - (debian/uwsgi*.init.d, debian/uwsgi-emperor.service, - debian/uwsgi-files/systemd/uwsgi-app@.{service,socket}). No timers. + (debian/uwsgi*.init.d, debian/uwsgi-emperor.service, + debian/uwsgi-files/systemd/uwsgi-app@.{service,socket}). No timers. - Privilege isolation: defaults run as www-data, Unix sockets under - /run/uwsgi with mode 660; per-app systemd template uses DynamicUser=yes; - uwsgi supports uid/gid drop and libcap-backed capability control. + /run/uwsgi with mode 660; per-app systemd template uses DynamicUser=yes; + uwsgi supports uid/gid drop and libcap-backed capability control. - Hardening gap to flag: systemd units do not set NoNewPrivileges=, - PrivateTmp=, ProtectSystem=, ProtectHome=, RestrictAddressFamilies= or - CapabilityBoundingSet=. No AppArmor profile shipped. Worth a follow-up. + PrivateTmp=, ProtectSystem=, ProtectHome=, RestrictAddressFamilies= or + CapabilityBoundingSet=. No AppArmor profile shipped. Worth a follow-up. - No privileged ports opened by default. No external endpoints by default - (Unix sockets only). No filters/scanners/PAM modules or UI skins; only - uwsgi's own plugin model. + (Unix sockets only). No filters/scanners/PAM modules or UI skins; only + uwsgi's own plugin model. - TLS/SSL: SSLv2/SSLv3/TLSv1 disabled by default in core/ssl.c; opt-in - options to re-enable SSLv3/TLSv1 still exist (ssl-enable-sslv3, - ssl-enable-tlsv1). TLSv1.1 not explicitly disabled — relies on system - crypto policy. Cipher names are admin-configurable in - plugins/logcrypto and core/legion.c (no weak default). + options to re-enable SSLv3/TLSv1 still exist (ssl-enable-sslv3, + ssl-enable-tlsv1). TLSv1.1 not explicitly disabled — relies on system + crypto policy. Cipher names are admin-configurable in + plugins/logcrypto and core/legion.c (no weak default). [Quality assurance - function/usage] - The package works well right after install. [Quality assurance - maintenance] - Maintained well in Debian (Debian unstable: 2.0.31-4; uploads - 2.0.28-9 through 2.0.31-4 between Mar 2025 and Mar 2026; 0 RC bugs). - Upstream continues 2.0.x maintenance releases but has ~780 open - issues / ~90 PRs — distribution-level confidence rests on Debian - packaging activity rather than upstream triage speed. - - Ubuntu bugs: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bugs - (6 open as of 2026-04-21, all Undecided) - - Debian: https://tracker.debian.org/pkg/uwsgi - - Upstream: https://github.com/unbit/uwsgi/issues + 2.0.28-9 through 2.0.31-4 between Mar 2025 and Mar 2026; 0 RC bugs). + Upstream continues 2.0.x maintenance releases but has ~780 open + issues / ~90 PRs — distribution-level confidence rests on Debian + packaging activity rather than upstream triage speed. + - Ubuntu bugs: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bugs + (6 open as of 2026-04-21, all Undecided) + - Debian: https://tracker.debian.org/pkg/uwsgi + - Upstream: https://github.com/unbit/uwsgi/issues - No exotic hardware requirements. [Quality assurance - testing] - Build-time: debian/rules override_dh_auto_test runs shellcheck on - maintainer scripts, init scripts, and uwsgi init helpers; failures - fail the build. + maintainer scripts, init scripts, and uwsgi init helpers; failures + fail the build. - Autopkgtest passing on resolute amd64/arm64/armhf/ppc64el/s390x for - 2.0.31-2 (2026-04-15/16). Results: - https://autopkgtest.ubuntu.com/packages/u/uwsgi/resolute/ + 2.0.31-2 (2026-04-15/16). Results: + https://autopkgtest.ubuntu.com/packages/u/uwsgi/resolute/ - Test is non-trivial: debian/tests/integration runs t/runner (10 - unittest classes) against /usr/bin/uwsgi — launches a local server, - verifies TCP readiness, makes HTTP requests via python3-requests, - exercises the CGI plugin. + unittest classes) against /usr/bin/uwsgi — launches a local server, + verifies TCP readiness, makes HTTP requests via python3-requests, + exercises the CGI plugin. - No failing autopkgtests; no special hardware required. OpenStack - service-level integration tests provide additional coverage at the - use-case level. + service-level integration tests provide additional coverage at the + use-case level. [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and works. - debian/control defines a correct Maintainer field but will need to be - updated once an Ubuntu delta is applied. + updated once an Ubuntu delta is applied. - This package does not yield massive lintian Warnings or Errors. - Recent build log: https://launchpad.net/ubuntu/+source/uwsgi/2.0.31-2 - Lintian overrides are present, but ok because: - - debian/source/lintian-overrides: dep5 license-paragraph references - (Debian #786450), debian/patches/0* pattern, py distutils/pipes - fallbacks in upstream plugin scripts. - - debian/uwsgi-core.lintian-overrides: shared-library-lacks-prerequisites - for plugin .so files; doc-base for test data. - - debian/uwsgi.lintian-overrides: missing-systemd-service-for-init.d-script - (covered by uwsgi-app@ template units, Debian #1039408). - - debian/uwsgi-src.lintian-overrides: documentation-outside-usr-share-doc - (uwsgi-src ships the extracted tarball by design). + - debian/source/lintian-overrides: dep5 license-paragraph references + (Debian #786450), debian/patches/0* pattern, py distutils/pipes + fallbacks in upstream plugin scripts. + - debian/uwsgi-core.lintian-overrides: shared-library-lacks-prerequisites + for plugin .so files; doc-base for test data. + - debian/uwsgi.lintian-overrides: missing-systemd-service-for-init.d-script + (covered by uwsgi-app@ template units, Debian #1039408). + - debian/uwsgi-src.lintian-overrides: documentation-outside-usr-share-doc + (uwsgi-src ships the extracted tarball by design). - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies. - The package will not be installed by default. - Packaging and build is moderately complex but well-structured. The - source package builds eight binary packages (uwsgi, uwsgi-core, - uwsgi-dev, uwsgi-emperor, uwsgi-extra, uwsgi-src) plus a set of - per-plugin binaries (uwsgi-plugin-alarm-curl, uwsgi-plugin-alarm-xmpp, - uwsgi-plugin-curl-cron, uwsgi-plugin-emperor-pg, - uwsgi-plugin-geoip, uwsgi-plugin-graylog2, uwsgi-plugin-ldap, - uwsgi-plugin-router-access, uwsgi-plugin-sqlite3, uwsgi-plugin-xslt). + source package builds eight binary packages (uwsgi, uwsgi-core, + uwsgi-dev, uwsgi-emperor, uwsgi-extra, uwsgi-src) plus a set of + per-plugin binaries (uwsgi-plugin-alarm-curl, uwsgi-plugin-alarm-xmpp, + uwsgi-plugin-curl-cron, uwsgi-plugin-emperor-pg, + uwsgi-plugin-geoip, uwsgi-plugin-graylog2, uwsgi-plugin-ldap, + uwsgi-plugin-router-access, uwsgi-plugin-sqlite3, uwsgi-plugin-xslt). [UI standards] - Application is not end-user facing (does not need translation). [Dependencies] - In-scope for main: uwsgi-core, uwsgi, uwsgi-emperor. All other binaries - from this source stay in universe. - - Build-Depends in universe (allowed per MIR rules): help2man, - libgeoip-dev, libgloox-dev, libzmq5-dev/libzmq3-dev, shellcheck. - - Runtime finding: uwsgi-core ships emperor_zeromq, logzmq and mongrel2 - plugins which link -lzmq, so ${shlibs:Depends} pulls libzmq5 (universe) - into uwsgi-core. Libzmq5 was previously approved for an MIR but never promoted. This will be looked into and resubmitted if need be. - - Companion MIRs required: uwsgi-plugin-python3 is needed. WIP, will be linked here once filed. https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1597439 + from this source stay in universe. + - Runtime dependencies: uwsgi-core ships emperor_zeromq, logzmq and mongrel2 + plugins which link -lzmq, so ${shlibs:Depends} pulls libzmq5 (universe) + into uwsgi-core. Libzmq5 was previously approved for an MIR but never promoted. This will be looked into and resubmitted if need be. + https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1597439 + - Companion MIRs required: uwsgi-plugin-python3: https://bugs.launchpad.net/ubuntu/+source/uwsgi-plugin-python/+bug/2152614 [Standards compliance] - This package correctly follows FHS and Debian Policy. [Maintenance/Owner] - The owning team will be ~ubuntu-openstack and I have their acknowledgment - for that commitment. + for that commitment. - The future owning team is not yet subscribed, but will subscribe to - the package before promotion. + the package before promotion. - This does not use static builds; uwsgi is a C application linked - dynamically via ${shlibs:Depends}. + dynamically via ${shlibs:Depends}. - This does not use vendored code: no vendor/, no Cargo.lock, no go.sum. - (Upstream t/go/ files are test fixtures; plugins/gccgo is excluded - via UWSGI_SRCPLUGINS_ALIEN.) + (Upstream t/go/ files are test fixtures; plugins/gccgo is excluded + via UWSGI_SRCPLUGINS_ALIEN.) - Refreshing instructions therefore do not apply. - debian/copyright therefore does not need to cover vendored content. - This package is not rust based. - The package has been built within the last 3 months in the archive. - Build link on Launchpad: https://launchpad.net/ubuntu/+source/uwsgi/2.0.31-2 This change will impact other teams and they are/will be made aware: - Ubuntu Server (nginx/apache2 front-ends, AppArmor) - Ubuntu OpenStack (consumer driving the migration) - - Ubuntu Security (SSL/TLS posture, systemd hardening follow-ups) - - src:uwsgi-plugin-python maintainers (companion MIR) [Background information] - The package description explains the package well. - Upstream name: uwsgi - Link to upstream project: https://github.com/unbit/uwsgi
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2151202 Title: [MIR] uwsgi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/2151202/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
