[Bug 1349119] Re: [MIR] new dependencies for twisted

Wed, 30 Jul 2014 21:56:34 -0700 

I reviewed python-service-identity version 1.0.0-0ubuntu1 as checked into
utopic. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.

- python-service-identity provides RFC 6125 verification of dNSName,
  uniformResourceIdentifier, otherName types of subjectAltName extensions
  in x.509 certificates.
- Build-Depends: debhelper, dh-python, python-all, python-setuptools,
  python-openssl, python-pyasn1-modules, python-characteristic,
  python-pytest, python3-all-dev, python3-setuptools, python3-openssl,
  python3-pyasn1-modules, python3-characteristic, python3-pytest
- Uses OpenSSL
- Does not itself use networking
- Does not daemonize
- May run as a system user
- No maintainer scripts
- No initscripts
- No dbus services
- No setuid files
- No new binaries
- No sudo fragments
- No udev rules
- Good test suite -- but does not run during build
- No cron jobs
- Build logs clean

- No processes spawned
- No memory management
- No files written
- No logging
- No environment variables
- No privileged portions of code
- Extensive X.509 parsing
  Since the comparisons are made using python byte streams, I believe the
  classical nul character attack won't give incorrect results.
- Does not itself do networking
- No temporary files
- No webkit
- No javascript
- Clean pyflakes
- No PolicyKit

This package is relatively new and performs relatively complex operations;
however, the coding style is clear and concise, upstream has published
security contacts and intends to not break published APIs.

Please investigate why the tests report "Ran 0 tests in 0.000s". The tests
look extensive, we should make sure they run at build time.

Once the tests are addressed, security team ACK for promoting
python-service-identity to main.

Thanks


** Changed in: python-service-identity (Ubuntu)
     Assignee: Seth Arnold (seth-arnold) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1349119

Title:
  [MIR] new dependencies for twisted

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-characteristic/+bug/1349119/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to