[Bug 1543754] Re: [MIR] barbican, python-pykmip
Marking pykmip as a won't fix - the solution we are deploying makes use of vault which has its own rest api. ** Changed in: python-pykmip (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
James, is there still interest in python-pykmip in main? This package had some issues identified that should be fixed prior to promotion. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
** Changed in: python-pykmip (Ubuntu) Assignee: (unassigned) => Ubuntu OpenStack (ubuntu-openstack) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
The use of: sqlite:tmp/pykmip.database is hardcoded, so we'll have to patch this - ideally it would be located in /var/lib/pykmip with an appropriate user and permissions. This is used in the native implementation only AFAICT and as such is not considered secure, but could definitely be improved. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Override component to main barbican 1:3.0.0~b2-0ubuntu2 in yakkety: universe/misc -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/doc/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/python/extra/100% -> main 43 publications overridden. ** Changed in: barbican (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Needs to be seeded - sorting that out now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
> OpenStack Mitaka requires the barbican package. There is no package in main which depends on barbican. It has been promoted to main, but now is listed in components-mismatches as requiring demotion. http://people.canonical.com/~ubuntu-archive/component-mismatches- proposed What is meant to be depending on barbican in main? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Override component to main barbican 1:3.0.0~b2-0ubuntu2 in yakkety: universe/misc -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-common 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/doc/extra/100% -> main barbican-doc 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/doc/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-keystone-listener 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/net/extra/100% -> main barbican-worker 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/net/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety armhf: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety i386: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety powerpc: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety ppc64el: universe/python/extra/100% -> main python-barbican 1:3.0.0~b2-0ubuntu2 in yakkety s390x: universe/python/extra/100% -> main 43 publications overridden. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
please could you package a Python3 module as well? Having a Python2 only module in main should be a no-go given that we are trying to demote Python2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
I think we're good with barbican now; MIR approved -- Of course, this will still be blocked on the issues listed by Seth for python-pykmip. ** Changed in: barbican (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
I reviewed python-pykmip version 0.5.0-1 as checked into Ubuntu yakkety; this shouldn't be considered a full security audit but rather a quick gauge of maintainability. - I did not notice python-pykmip CVEs in our tracking database - python-pykmip provides a standardized user interface to hardware security modules, and provides a software "hardware" security module; this is marked deprecated, but might yet prove useful with proper access control mechanisms in place. - Build-depends: debhelper, dh-python, python-all, python-setuptools, python-sphinx, python3-all, python3-setuptools, python-coverage, python-cryptography, python-enum34, python-fixtures, python-mock, python-pytest, python-six, python-sqlalchemy, python-testresources, python-testscenarios, python-testtools, python3-coverage, python3-cryptography, python3-fixtures, python3-mock, python3-pytest, python3-six, python3-sqlalchemy, python3-subunit, python3-testresources, python3-testscenarios, python3-testtools, subunit, testrepository, - Does not daemonize as usual, hopefully whatever uses pykmip is prepared to handle the usual daemonizing - pre/post inst/rm are automatically generated dh_python* and update-alternatives - No initscript - No dbus services - No setuid - python3-pykmip-server and python2-pykmip-server executables in PATH - No sudo fragments - No udev rules - Relatively clean build logs - No cronjobs - Many tests in test suite run during build - No subprocesses spawned - Logging file opened via usual logging mechanisms - Logging mechanisms looked safe - Does not itself use environment variables - No privileged operations - Uses python's TLS facilities - Listens on sockets - I didn't review closely enough to discover if there are privileged areas of code - /tmp use that looks sketchy: sqlite:tmp/pykmip.database in KmipEngine() This may justify further exploration, fixes. - Does not use WebKit - Does not use PolicyKit - Does not use JS The parts of this that I read looked professionally programmed; that said, the sqlite:tmp/pykmip.database is awkward and out of place. Where does this get stored? Before we can promote this package to main we need to be sure that this database isn't stored in /tmp with a predictable name. Thanks ** Changed in: python-pykmip (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Mathieu I've pushed fixes to lp:~ubuntu-server-dev/ubuntu/+source/barbican to resolve the majority of lintian warnings; systemd-service-file-missing- documentation-key needs to be fixed outside of this package as systemd configuration is automatically generated - right now every core openstack package will have this warning (I'll look at openstack-pkg- tools to see if we can do anything intelligent with Documentation keys). I've also added pykmip as a Recommends to ensure it gets pulled into main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
FTR merging with Debian is tricky; the required barbican version is in experimental (so no merge-o-matic), and we have quite divergent views on what a core piece of OpenStack packaging should be doing compared to the opinion of the principle developer in the pkg-openstack team in Debian. So typically core openstack packages are effectively forked; we do maintain collaboration on the dependency chain to gain some level for benefit to both Ubuntu and Debian in the bezillion things needed to support OpenStack. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
pykmip would be the principle integration library for a HSM; so I think it does need to at-least be a Recommends; if someone is not using pykmip, they are using the internal insecure secrets store. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
python-ldap has been demoted from main to universe since the original request -- please ask the ubuntu-archive team to reinstate it (should not need a MIR since it used to be in main in Wily). I only noticed one thing I would consider a blocker: Given that python-pykmip was a Build-Dependency, I will let you decide if it's worth keeping the MIR request (if anything actually has a binary Dependency on it, but looks like barbican only Build-Depends -- this may in fact be a bug). Please make sure whether python-pykmip is required as a Depends in barbican, which would make the MIR for it still relevant. At first glance, it definitely looks to be required at least in some cases: barbican/plugin/kmip_secret_store.py:from kmip.core import enums barbican/plugin/kmip_secret_store.py:from kmip.core.factories import credentials barbican/plugin/kmip_secret_store.py:from kmip.pie import client barbican/plugin/kmip_secret_store.py:from kmip.pie import objects [...] devstack/lib/barbican:# install_pykmip - install the PyKMIP python module devstack/lib/barbican:function install_pykmip { devstack/lib/barbican:pip_install 'pykmip' As non-blocker but relevant improvements: - Lintian has some things to say about the documentation: I: barbican-keystone-listener: systemd-service-file-missing-documentation-key lib/systemd/system/barbican-keystone-listener.service P: barbican-common: maintainer-script-without-set-e postinst I: barbican-doc: possible-documentation-but-no-doc-base-registration I: barbican-worker: systemd-service-file-missing-documentation-key lib/systemd/system/barbican-worker.service - Debian has version 3.0.0~b2 as well, it should probably be merged or a sync. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Alright, in light of this I need to have another look at barbican, given that I no longer have enough state to just ACK it. I will do the reviewing again now and respond tonight. The Security Team has yet to assess python-pykmip. ** Changed in: barbican (Ubuntu) Status: New => In Progress ** Changed in: barbican (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
James, thanks. Security team ACK for promoting barbican to main. FWIW even the "insecure" mode may be convenient enough to use the same API vs just storing secrets in a shared filesystem. We may still consider hypothetical weaknesses in the simple_crypto_plugin to be 'low' as a result. Thanks ** Changed in: barbican (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
(so yes, we do still want barbican) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Hi Seth Some feedback on your review 1) Barbican without an HSM We'd come to the same conclusion that you did - Barbican without an HSM is really not secure, and the built-in crypto or softhsm options are really POC/dev use only. >From a deployment perspective, we have charms for barbican + barbican- softhsm, but that's just to allow us to perform CI on the charms without reliance on an actual HSM. Any production use *requires* use of an HSM (for which we will write barbican- charms). 2) Use Cases Barbican could be used by tenants of a cloud directly, but I think its much more likely that it will be consumed by other OpenStack services for secrets management - specific examples would include SSL termination in Neutron LBAAS, encryption of block devices in Cinder, encryption of data-at-rest in Swift; barbican is used for the key management aspects of these integrations. 3) Compatibility Barbican is part of the integrated release with milestones part of OpenStack, so even if changes do happen, they are happening in the greater openstack context, so inter-service compatibility should be maintained. Barbican is relatively new (only approaching its 3rd release now), so I would expect some changes - but that's been typical of OpenStack projects. We also have another 4 releases before we have to worry about LTS support cycles - we can review again at 18.04 if we're still good with the decision to have Barbican in main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
I reviewed barbican version 1:2.0.0-0ubuntu1; this shouldn't be considered a full audit, but rather a quick gauge of maintainability. Barbican appeared to be developed to professional standards but it feels like it's still making larger architectural decisions and I'm not sure who the consumers of Barbican are supposed to be. There's more than the usual amount of TODO notes. It's nice to know the developers have thought through their goals enough to add notes to the future but it gives the impression that there's a lot of changes, perhaps changes that will influence consumers. I couldn't tell if Barbican is intended for use only by OpenStack services or if it is intended for use by the applications and management infrastructure that individual tenants would use. I couldn't tell if Barbican is actually intended to be used on systems without hardware security modules to provide backing storage. There is a simple_crypto_plugin that provides much of the functionality of the HSM wrappers but the docstring for the class indicates that it's "insecure". This simple_crypto_plugin (intends) to store all secrets in the databases using a key hardcoded in the sources or a key in /etc/barbican/barbican.conf -- which also appears to be hard-coded in our installation, rather than generated at install or first run. crypto.py SYMMETRIC_ALGORITHMS, SYMMETRIC_KEY_LENGTHS, and ASYMMETRIC_KEY_LENGTHS -- includes vastly unsafe DES, vastly unsafe 64 bit length symmetric keys, and unsafe 1024 bit length asymmetric keys. Secrets are documented to be stored with per-tenant encryption keys but I did not see a way for the tenants to supply the decryption keys; those per-tenant keys are probably stored in the database and protected solely by the kek configured in barbican.conf. Access to secrets within a tenant's storage can apparently be scoped using ACLs to any keystone-ids, but I didn't see any documentation or recommendation that e.g. user services should have their own keystone authentication mechanisms, nor how it would be accomplished. This is definitely a grey area. - Will future modifications cause compatibility problems? - This secret storage is best considered "obfuscation" rather than "encrypted". If all the keys are available in the sources or a configuration file, no amount of intermediate steps makes them safe. Perhaps this is why the simple_crypto_plugin is labeled "insecure", perhaps secrets are only stored privately when using an HSM. If an HSM is the only safe way to store secrets, why even have an "insecure" mode? So while this code looks professionally written I'm concerned that it may give a false sense of safety when storing keys and it may not have matured to the point of API or storage stability yet. I'd be more worried about promoting barbican to main for an LTS release; we still have a few releases for it to mature, so the risk doesn't feel overwhelming. So, do we still want barbican? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
Is barbican intended for user-owned services to use? Or is it intended solely for openstack applications to use? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
All of the Barbican changes have now been pushed and will be uploaded shortly. A team bug subscriber has also been added for python-pykmip. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
python-pykmip: - package is missing a team subscriber - the latest version isn't packaged; 0.4.1 might have good bug fixes - python-pykmip deals with potentially sensitive data, in that it's used to manage crypto keys, it would benefit a security review. Please fix add a subscriber to the package. I don't consider packaging the very latest version as a blocker for main inclusion. This should still have a quick security review though... ** Changed in: python-pykmip (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican, python-pykmip
** Changed in: python-pykmip (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
We are no longer moving python-pykmip to suggests, instead an MIR has been added for it. ** Description changed: + [barbican] + [Availability] Currently in universe [Rationale] OpenStack Mitaka requires the barbican package. [Security] - No security history + No security history, however a security review is required. + + [Quality Assurance] + No prompting during install, all unit tests ran successfully. All current bugs are triaged or in progress. + + [Dependencies] + python-pykmip currently in universe, MIR below. + + [Standards Compliance] + FHS and Debian Policy compliant. + + [Maintenance] + Simple python package that the Ubuntu Server Team will take care of. + + [Background] + Barbican provides a secure REST key store for authentication. + + //--// + + [python-pykmip] + + [Availability] + Currently in universe + + [Rationale] + OpenStack Mitaka barbican requires this dependency. + + [Security] + No security history. [Quality Assurance] No prompting during install, all unit tests ran successfully. All current bugs are triaged or in progress. [Dependencies] All in main. [Standards Compliance] FHS and Debian Policy compliant. [Maintenance] Simple python package that the Ubuntu Server Team will take care of. [Background] - Barbican provides a secure REST key store for authentication. + python-pykmip is an implementation of the Key Management Interoperability Protocol. ** Summary changed: - [MIR] barbican + [MIR] barbican, python-pykmip -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican, python-pykmip To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
Still some things left to do: * drop pysqlite2 --- DONE * move pykmip to Suggests -- INPROGRESS * revert patch of python-ldap3 back to old python-ldap usage, as python-ldap is already in main -- DONE * provide man page stubs like we did for designate since it looks like upstream doesn't provide any -- DONE I will post when it's fully complete. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
A new version of barbican has been pushed (not yet uploaded) that drops uwsgi in favor of running the barbican-api behind apache2. Still some things left to do: * drop pysqlite2 * move pykmip to Suggests * revert patch of python-ldap3 back to old python-ldap usage, as python-ldap is already in main * provide man page stubs like we did for designate since it looks like upstream doesn't provide any I think after that we'll have covered all of Mathieu's review comments. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
pysqlite was dropped as a dependency a while back so if safe to remove from the runtime depends. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
Can we drop python-pysqlite2? seems surplus to production ops... ** Changed in: uwsgi (Ubuntu) Status: New => Invalid ** Changed in: python-ldap3 (Ubuntu) Status: New => Incomplete ** Changed in: python-pykmip (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
Removing ldap3 as we are reverting barbican to use python-ldap since it's already in main. We will work on getting ldap3 in main at some point in the future. Removing pysqlite2 as we are removing sqlite support in barbican package for now. ** No longer affects: python-ldap3 (Ubuntu) ** No longer affects: uwsgi (Ubuntu) ** No longer affects: python-pysqlite2 (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
ldap3 and pykmip need working through with MIR review details - marking Incomplete. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
Looks like this bug: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1526648 has been resolved. Working on supplemental MIR's for those deps and taking care of those lintian warnings. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
** Also affects: python-ldap3 (Ubuntu) Importance: Undecided Status: New ** Also affects: python-pykmip (Ubuntu) Importance: Undecided Status: New ** Also affects: python-pysqlite2 (Ubuntu) Importance: Undecided Status: New ** Also affects: uwsgi (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
Some lintian warnings should be fixed: W: barbican-common: binary-without-manpage usr/bin/barbican-db-manage W: barbican-common: binary-without-manpage usr/bin/barbican-keystone-listener W: barbican-common: binary-without-manpage usr/bin/barbican-retry W: barbican-common: binary-without-manpage usr/bin/barbican-worker W: barbican-common: binary-without-manpage usr/bin/pkcs11-kek-rewrap W: barbican-common: binary-without-manpage usr/bin/pkcs11-key-generation P: barbican-common: maintainer-script-without-set-e postinst Not all Build-Depends and binary Depends are in main: Checking support status of build dependencies... * python-ldap3 binary and source package is in universe * python-pykmip binary and source package is in universe Checking support status of binary dependencies... * python-ldap3 binary and source package is in universe * python-barbican binary and source package is in universe * python-pysqlite2 binary and source package is in universe * barbican-common binary and source package is in universe * uwsgi-core binary and source package is in universe * uwsgi-plugin-python binary and source package is in universe * barbican-common binary and source package is in universe * barbican-common binary and source package is in universe There's also an open bug in LP: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1526648 its impact on 16.04 should be investigated. The above should be fixed or at least there should be documentation on why they should not (or can't be). Given that barbican is meant to handle secure storage, sensitive client secret information, I think this would also benefit from a security review. ** Changed in: barbican (Ubuntu) Assignee: Mathieu Trudel-Lapierre (mathieu-tl) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
** Changed in: barbican (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
** Branch unlinked: lp:~ddellav/ubuntu/xenial/barbican/mitakab2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
We've just uploaded a new version of barbican that drops the debconf/dbconfig bits. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
** Also affects: barbican (Ubuntu) Importance: Undecided Status: New ** No longer affects: barbican -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1543754] Re: [MIR] barbican
Mathieu, got time for this? ** Changed in: barbican (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (mathieu-tl) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1543754 Title: [MIR] barbican To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/barbican/+bug/1543754/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs