Package mp3rgain for Debian/Ubuntu repositories

[M-Igashi]

Background

According to Wikipedia, the original mp3gain was removed from Debian and Ubuntu repositories in 2015 due to lack of maintenance.

Update (2026-01-21): mp3gain (1.6.2) is still available in Debian repositories. However, according to the Debian Security Tracker, it has multiple known security vulnerabilities including CVE-2023-49356 (stack buffer overflow, unpatched).

mp3rgain is a modern, actively maintained alternative written in Rust that provides full command-line compatibility with the original mp3gain, with memory safety guarantees.

Goal

Get mp3rgain packaged in official Debian and Ubuntu repositories as a memory-safe alternative to mp3gain.

Tasks

Research & Preparation

• Review Debian packaging guidelines: https://www.debian.org/doc/manuals/maint-guide/
• Review Rust packaging for Debian: https://wiki.debian.org/Teams/RustPackaging
• Ensure mp3rgain meets Debian Free Software Guidelines (DFSG) - MIT license is DFSG-compliant
• Add man page for mp3rgain - PR docs: add man page for mp3rgain #58 merged
• Add security documentation comparing mp3rgain vs mp3gain/aacgain CVEs

Debian Package Tooling

• Add cargo-deb configuration - PR chore: add cargo-deb configuration for Debian packaging #59 merged
• Add .deb build to GitHub Actions release workflow - PR ci: improve Debian package build #60 merged
• Test .deb package installation on Debian/Ubuntu - PR ci: add workflow to test .deb package on Debian/Ubuntu #61 merged

Collaboration with mp3gain Maintainer

• Research current mp3gain package status in Debian
• Identify mp3gain maintainer (Scott Hardin)
• Prepare email template for maintainer contact
• Send email to mp3gain maintainer (Scott Hardin)
• Wait for response and determine collaboration approach

Official Debian Repository (after maintainer response)

• Submit ITP (Intent to Package) bug to Debian: https://www.debian.org/devel/wnpp/
• Set up debcargo-conf for official Debian packaging
• Find a Debian sponsor/mentor if needed
• Work with Debian Rust Team for review

Ubuntu

• Once in Debian, it will automatically sync to Ubuntu
• Alternatively, submit to Ubuntu via PPA first for testing
• Consider submitting to Ubuntu Universe repository

Progress

Date	Progress
2026-01-12	Added man page (PR #58), cargo-deb config (PR #59)
2026-01-13	Added .deb build workflow (PR #60), test workflow (PR #61)
2026-01-21	v1.5.0 released with .deb package
2026-01-21	Researched mp3gain status - still in Debian with CVE-2023-49356 unpatched
2026-01-21	Prepared maintainer contact email template

Strategy

Instead of directly submitting an ITP, we are first reaching out to the current mp3gain maintainer (Scott Hardin) to:

1. Introduce mp3rgain as a memory-safe alternative
2. Discuss potential collaboration (coexistence or succession)
3. Offer help with security issues if needed

This collaborative approach respects the existing maintainer's work while proposing a path forward for security-conscious users.

Benefits for Debian/Ubuntu Users

• Memory safety: Written in Rust, immune to buffer overflow vulnerabilities
• Active maintenance: Regular updates and security-focused development
• Modern compatibility: Works on current Linux distributions (including ARM64)
• Full compatibility: Same CLI as original mp3gain (drop-in replacement)
• ReplayGain support: Track and album gain analysis

References

• Debian Security Tracker (mp3gain): https://security-tracker.debian.org/tracker/source-package/mp3gain
• Debian mp3gain package: https://tracker.debian.org/pkg/mp3gain
• CVE-2023-49356: https://nvd.nist.gov/vuln/detail/CVE-2023-49356
• Debian Rust Team: https://wiki.debian.org/Teams/RustPackaging
• cargo-deb tool: https://github.com/kornelski/cargo-deb
• ITP template: docs/debian/ITP-template.txt
• Maintainer contact template: docs/debian/maintainer-contact-template.txt

Notes

This is a significant undertaking that requires understanding of Debian packaging process. Community contributions welcome!

Next steps: Send email to mp3gain maintainer, then proceed based on response.

[M-Igashi]

Update (2026-01-27)

ITP (Intent to Package) submitted to Debian

After waiting one week with no response from the mp3gain maintainer, I have submitted an ITP to Debian BTS:

• To: submit@bugs.debian.org
• CC: debian-rust@lists.debian.org
• Subject: ITP: mp3rgain -- Lossless MP3 volume adjustment tool written in Rust

The ITP includes:

• Package details and features
• Relationship to existing mp3gain package (complementary, not replacement)
• Note about prior communication attempt with mp3gain maintainer
• Intent to maintain with Debian Rust Team

Next steps:

• Wait for Debian BTS confirmation email with bug number
• Update this issue with the ITP bug number once received
• Proceed with debcargo-conf setup for official Debian packaging

[M-Igashi]

ITP Bug Number Received

Debian ITP: #1126519

The ITP has been officially registered in Debian BTS.