[Bug 1820211] Re: [MIR] python3-openid as dependency of mailman3
After evaluating dependencies, required further changes and mostly maintainability for security and packaging it was decided there are too many concerns - not about any single package in particular, but the overall Mailman3 stack - about the ability to maintain and monitor it as well as we need it for support in main. We have closed the primary LP bug already, the MIRs that are already approved will stay that way, but we will make no seed change to pull things in for now. Yet if other needs come up for those they have a prepared MIR already. Other bugs - like this one - which are not yet completed in terms of review will be closed as Won't Fix. Even thou it ended being aborted, I think that is a valid outcome of the MIR evaluations. Never the less I want to thank everybody involved for all the work spent in what was nearly a year working through these MIRs. ** Changed in: python3-openid (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820211] Re: [MIR] python3-openid as dependency of mailman3
** Changed in: python3-openid (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820211] Re: [MIR] python3-openid as dependency of mailman3
Thanks for the hint on the upstream discontinuation Eduardo. This was a python3 fork of python-openid which in the meantime grew py3 support and seems to be the continued upstream project. We will need to work in/with Debian to change building python3-openid binary out of a recent python-openid source. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820211] Re: [MIR] python3-openid as dependency of mailman3
I reviewed python3-openid version 3.1.0-1 as checked into disco as of this writing. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python3-openid is a set of python packages to support use of the OpenID decentralized identity system in your application. - No development or commit in the last 2 years. Some open issues but only one might get us worried. An user asks if python 3.7 is supported (which is the current version of python in disco). There's not much info if user saw an issue when running with python 3.7. https://github.com/necaris/python3-openid/issues/39 - No CVE history - Build-depends: - dh-python, - python3-all, - python3-setuptools - postinst and prerm added automatically - No init scripts - No dbus services - No setuid - No binaries in PATH - No sudo fragments - No udev rules - Some tests under openid/test/ - No cron jobs - No security relevant warnings: dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-python3-openid-dummy dpkg-source: warning: extracting unsigned source package (python3-openid_3.1.0-1.dsc) warning: no files found matching 'NOTICE' warning: no files found matching 'CHANGELOG' warning: no files found matching 'README.md' under directory 'examples' warning: no files found matching '*.css' under directory 'doc' warning: no files found matching '*.html' under directory 'doc' dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-depends-python3-openid-dummy - Subprocess spawned in contrib/openid-parse, it spawns "xsel -o -b" - File IO - a few file operations, look safe - Logging - logging in case of error or warning - uses logging module for logging errors and warning module for warnings - look safe - No environment variables (only in examples) - No privileged operations - Networking - SQLite3 connection - MySQL connection - PostgreSQL connection - fetches http request with pycurl - parses html - Encryption - makes use of pycurl for fetching http requests - No WebKit - No PolicyKit - No shell scripts - Coverity analysis: 1. False positive python3-openid-3.1.0/openid/fetchers.py:360 Checker: REVERSE_INULL python3-openid-3.1.0/openid/fetchers.py:356: deref: Accessing a property of "headers". python3-openid-3.1.0/openid/fetchers.py:360: check_after_deref: Null-checking "headers" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 2. Test code, so considering it low python3-openid-3.1.0/openid/test/__init__.py:170 Checker: UNREACHABLE python3-openid-3.1.0/openid/test/__init__.py:170: unreachable: This code cannot be reached: "return django.test.simple.r...". python3-openid-3.1.0/openid/test/test_association_response.py:331 Checker: FORWARD_NULL 3. Test code, so considering it low python3-openid-3.1.0/openid/test/test_association_response.py:330: 1. path: Condition "ret === None", taking true branch. python3-openid-3.1.0/openid/test/test_association_response.py:330: 2. null_check: Comparing "ret" to a null-like value implies that "ret" might be null-like. python3-openid-3.1.0/openid/test/test_association_response.py:331: 3. property_access: Accessing a property of null-like value "ret". 4. Test code, so considering it low python3-openid-3.1.0/openid/test/trustroot.py:42 Checker: FORWARD_NULL python3-openid-3.1.0/openid/test/trustroot.py:40: 1. path: Condition "tr === None", taking true branch. python3-openid-3.1.0/openid/test/trustroot.py:40: 2. null_check: Comparing "tr" to a null-like value implies that "tr" might be null-like. python3-openid-3.1.0/openid/test/trustroot.py:42: 3. property_access: Accessing a property of null-like value "tr". To sum up: 1. It would be nice if someone could verify the python issue. 2. Will we want to support a project that might have halted development or be abandoned? So before the ACK or NACK we would appreciate if someone could answer those questions. Thanks ** Bug watch added: github.com/necaris/python3-openid/issues #39 https://github.com/necaris/python3-openid/issues/39 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820211] Re: [MIR] python3-openid as dependency of mailman3
[Duplication] No duplication of that functionality in the Archive in general or main in particular. [Embedded sources and static linking] This package does not contain embedded library sources. This package does not statically link to libraries. No Go package [Security] I can confirm that there seems to be no CVE/Security history for this package. It Does not: - run a daemon as root - uses old webkit - uses lib*v8 directly - open a port - uses centralized online accounts - integrates arbitrary javascript into the desktop But it does: - deals with system authentication - processes arbitrary web content - parse data formats It is providing openid services and therefore is recommended to get a security check. [Common blockers] - builds fine at the moment - server Team committed to subscribe once this gets promoted (enough for now) - dh_python is used - package produces only python3 binaries - utilizes build time self tests - utilizes (rather trivial) smoke test as autopkgtest. [Packaging red flags] - no current ubuntu Delta to evaluate - no library with classic symbol tracking - watch file is present - Lintian warnings are present but ok - debian/rules is rather clean - no usage of Built-Using - no golang package that would make things harder [Upstream red flags] - no suspicious errors during build (a few warnings, but nothing concerning) - it is pure python, so no incautious use of malloc/sprintf - no use of sudo, gksu - no use of pkexec - no use of LD_LIBRARY_PATH - no important open bugs - no Dependency on webkit, qtwebkit, libgoa-* - no embedded copies in upstream either [Summary] Ack from the MIR-Teams POV, but as outlined above a security review is recommended. Assigning the security Team. ** Changed in: python3-openid (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
