[Summary]
Generally this package and Manila itself are carbon copies
of the other OpenStack Services packaged for Ubuntu. There
are no red flags and the package uses all of the existing
in main oslo modules used for OpenStack services (WSGI,
serialization, root escalation++).
As this package provides a network service and processes
user provided data (JSON) this does need a security review,
so I'll assign ubuntu-security.
List of specific binary packages to be promoted to main:
- manila-api
- manila-share
- manila-scheduler
- manila-data
These should be added to the appropriate seed for Ubuntu.
Notes:
See below
Required TODOs:
None
Recommended TODOs:
- This package uses the complex set of tools that the Debian
OpenStack team uses for managing maintainer scripts, systemd
units etc. Not a block but it would be good to see where we
can simplify this usage for the needs of Ubuntu users and to
reduce the overhead of package maintenace.
[Duplication]
- There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)a
NOTE:
- does parse data formats
Manila service use JSON serialization for processing
of API requests and for RPC messaging - uses the
oslo.seralization module already in main.
- does open a port
Manila API service provides access via WSGI which
uses the oslo.service module already in main.
oslo.policy and kesytoneauth1 are use for authentication
and authorization for specific endpoints.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python
[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
NOTE:
- use of sudo by manila-share service however uses
oslo.rootwrap to whitelist commands to control
priviledge escalation
** Changed in: manila (Ubuntu)
Status: In Progress => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1975493
Title:
[MIR] manila
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/manila/+bug/1975493/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
