[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
After evaluating dependencies, required further changes and mostly maintainability for security and packaging it was decided there are too many concerns - not about any single package in particular, but the overall Mailman3 stack - about the ability to maintain and monitor it as well as we need it for support in main. We have closed the primary LP bug already, the MIRs that are already approved will stay that way, but we will make no seed change to pull things in for now. Yet if other needs come up for those they have a prepared MIR already. Other bugs - like this one - which are not yet completed in terms of review will be closed as Won't Fix. Even thou it ended being aborted, I think that is a valid outcome of the MIR evaluations. Never the less I want to thank everybody involved for all the work spent in what was nearly a year working through these MIRs. ** Changed in: uwsgi (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
Here's the notes I took while reviewing this package: About the source code: uwsgi_calloc() re-introduces integer overflow bugs cppcheck results are entirely false positives About the debian packaging: cdbs is unfortunate gbp is difficult to work with there's a huge number of binary packages complex Depends, Suggests, Replaces, Conflicts, Provides different binary packages have different supported architectures I really liked the documentation, and it felt like there was a lot to recommend this service, but the huge amount of complexity and highly intricate memory management felt very likely to have security issues. To be clear I didn't find any security issues: it's just that moving memory chunks across consumers and producers as this program does is notoriously difficult to keep correct under maintenance. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
** Changed in: uwsgi (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
Yeah, I agree that uwsgi is a beast. When trying alternatives (after all WSGI is supposed to be a specification) there is a better candidate thou. gunicorn is in universe and big as well, but we'd have src:mod-wsgi providing httpd-wsgi as well through libapache2-mod-wsgi. And that was already in main [1] and could easily be repromoted. I guess we have to take the action to evaluate if this replacement would be fully functional. [1]: https://bugs.launchpad.net/ubuntu/+source/mod-wsgi/+bug/566537 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
I've been reading the uwsgi documentation and code for a few hours now; I fully concur with Mathieu's assessment. It's amazing how much uwsgi can do. It's got plugins for a huge number of programming environments, storage backends, logging mechanisms, RPC mechanisms.. it goes on. The documentation is surprisingly good. People who I know that run it seem to like it, in some cases way better than some of the alternatives. But this is huge, the deps list is huge, and there's a vast amount of manual memory management in C. I haven't spotted any errors yet, but this kind of code quite simply *must* have security critical bugs in it. I'm thinking this is an awful lot to include in main for mailman3. Does anyone know if gunicorn could work for mailman3? I must admit I haven't actually looked at gunicorn yet, but it has to be simpler. Another alternative is to keep the whole stack of applications in universe; I would feel bad about pulling a feature out of main, but the time spent on this could be spent elsewhere this cycle. Thoughts? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
This is package is huge and terrible to review; I had a look at it, and I see a couple of places where it seems like it's security sensitive. To top that off, it's a CGI server, so obviously security sensitive in its own right. Let's have Security review it. ** Changed in: uwsgi (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
Assigned to cyphermox in todays MIR Team meeting - thanks a lot for taking a look at this! ** Changed in: uwsgi (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820227] Re: [MIR] uwsgi as dependency of mailman3
FYI: The FTBFS fix is in progress and soon resolved. FYI: but the package is also: a) more complex b) more likely to be a Deny or at least extra work to be triggered Therefore I'm on next weeks meeting passing the review of this one to a fellow MIR team member -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820227 Title: [MIR] uwsgi as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uwsgi/+bug/1820227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
