python-cheroot: [Summary] This package provides a pure Python HTTP server implementation which is used as part of CherryPy - as a result it needs a full security review.
The test suite for this package is currently skipped due to missing dependencies - as this feels like a critical part of CherryPy I'd like to see this deficiency resolved prior to promotion to Ubuntu main. [Duplication] OK: - There is no other package in main providing the same functionality. [Dependencies] OK: - All covered on this MIR bug. [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco) - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs as autopkgtest - The package has a team bug subscriber - no translation present, but none needed for this case - no new python2 dependency - Python package that is using dh_python Blockers: - test suite present but currently skipped in packaging. [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Relatively new package so no update history - current release less one patch release is currently packaged. - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: python-cheroot (Ubuntu) Status: New => Incomplete ** Changed in: python-tempora (Ubuntu) Status: New => Fix Committed ** Changed in: jaraco.classes (Ubuntu) Assignee: James Page (james-page) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930111 Title: [MIR] new dependencies of cherrypy3: jaraco.collections, jaraco.classes, jaraco.text, python-cheroot, python-jaraco.functools, python-tempora, python-portend, zc.lockfile To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jaraco.classes/+bug/1930111/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
