[Python-modules-team] Bug#872942: Your mail
block 872942 by 881633 881642 thanks -- Víctor Cuadrado Juan m...@viccuad.me PGP key ID: 4096R: 0xA2591E231E251F36 Key fingerprint: E3C5 114C 0C5B 4C49 BA03 0991 A259 1E23 1E25 1F36 My signed E-Mails are trustworthy. signature.asc Description: OpenPGP digital signature ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#867886: (no subject)
I suspect that the hanging test is `test_client_rpc.test_async_call`, but I haven't seen it hang locally yet. I will upload a new version with --vv for the tests for debugging this better (once my un-expired gpg key is in the keyring or there's a sponsor upload). -- Víctor Cuadrado Juan m...@viccuad.me PGP key ID: 4096R: 0xA2591E231E251F36 Key fingerprint: E3C5 114C 0C5B 4C49 BA03 0991 A259 1E23 1E25 1F36 My signed E-Mails are trustworthy. signature.asc Description: OpenPGP digital signature ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#821888: proselint: --demo option is broken
A little debugging found the culprit, you cannot open read-only files with proselint, even if proselint doesn't need to (nor should) edit the files. I will make a patch for this, and I have reported it upstream to get it fixed [1]. Cheers, [1]: https://github.com/amperser/proselint/issues/502 -- Víctor Cuadrado Juan m...@viccuad.me PGP key ID: 4096R: 0xA2591E231E251F36 Key fingerprint: E3C5 114C 0C5B 4C49 BA03 0991 A259 1E23 1E25 1F36 My signed E-Mails are trustworthy. ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#821886: proselint: clear_cache() function clears the current directory instead of the cache directory
Sorry for letting this issue idle so much, real life happened (change of job and country). On Wed, 20 Apr 2016 16:35:43 +0800 Paul Wise wrote: > When I run `proselint --debug` from my home directory it searches my > whole home directory for *.pyc files and deletes them. While *.pyc > files are usually Python bytecode that might not be true for every user > and even if they were, that doesn't mean the user doesn't want to keep > them. Either way it is completely unacceptable to delete stuff from the > user's home directory just because they want to debug proselint. This is indeed a problem, didn't catch it before. I have patched it at the Debian side (since it doesn't make sense to have it), and opened an issue upstream to discuss it [1]. > Also, what happened to removing use of shell=True? That is fixed on upstream's master, waiting to be released yet [2]. Sadly I don't have much time to test and release a git snapshot, so I have opened a blocker bug [3] and I will await for a new upstream release. [1]: https://github.com/amperser/proselint/issues/490 [2]: https://github.com/amperser/proselint/issues/395 [3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827445 Cheers, -- Víctor Cuadrado Juan m...@viccuad.me PGP key ID: 4096R: 0xA2591E231E251F36 Key fingerprint: E3C5 114C 0C5B 4C49 BA03 0991 A259 1E23 1E25 1F36 My signed E-Mails are trustworthy. ___ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[Python-modules-team] Bug#827445: python3-proselint: Remove `shell=True` as they are a security hazard
Package: python3-proselint
Version: 0.5.3-2
Severity: serious
Tags: security
Justification:
This a migration blocker bug, as this issue is already fixed
in upstream's unreleased master.
As said on Python's subprocess docs,
using shell=True can be a security hazard[1],
as they open the door to shell code injection.
`shell=True` could for example be removed from:
out = subprocess.check_output("proselint --version", shell=True)
subprocess.call("proselint --debug >/dev/null", shell=True)
These other examples are possibly vulnerable to shell code injection:
out = subprocess.check_output("proselint {}".format(fullpath),
shell=True)
subprocess.call("{} {}".format("open", fullpath), shell=True)
subprocess.call("proselint {} >/dev/null".format(filepath), shell=True)
These other examples could maybe use python equivalents instead?:
subprocess.call("find . -name '*.pyc' -delete", shell=True)
subprocess.call("rm -rfv proselint/cache > /dev/null && mkdir -p
{}".format(os.path.join(os.path.expanduser("~"), ".proselint")),
shell=True)
See also upstream's bug tracker [2].
[1]: https://docs.python.org/2/library/subprocess.html#frequently-used-
arguments
[2]: https://github.com/amperser/proselint/issues/395
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python3-proselint depends on:
ii python3-click 6.6-1
ii python3-future 0.15.2-2
ii python3-six 1.10.0-3
pn python3:any
python3-proselint recommends no packages.
python3-proselint suggests no packages.
-- no debconf information
___
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
