[MIR] python-distro

[Availability]

python-distro and python3-distro are available in universe and are
architecture independent.

[Rationale]

python3-distro is an upcoming build dependency of Azure's
WALinuxAgent, which we support in main.

This change is being made in advance of Python 3.7, which drops some
platform detection features from the standard library. python3-distro
provides these features.

For details, see: https://github.com/Azure/WALinuxAgent/pull/1036 (and
we have an open support case on this also)

[Security]

There doesn't appear to have been any CVEs reported against python-distro.

There are no binaries installed, but one item on the list is "Add-ons
and plugins to security-sensitive software (filters, scanners, UI
skins, etc)" - as this is a python module it could end up in anything.

As such, I had a quick flick through the code. The only installed
python code is distro.py. The only interactions I can see it doing
with the outside world are:

 - running lsb_release and uname through the python subprocess
   module. They're run through relative paths rather than absolute
   paths, but that might be required for cross-distro compatibility.

 - reading an os_release and/or other distro release file. They're
   opened read-only.

 - querying the UNIXCONFDIR environment variable.

If you could manipulate the environment variables and manipulate the
filesystem, you could get a different binary named uname or lsb_relase
to be run. In the absence of a setuid binary I don't think that really
gets you anywhere new. This ships no setuid binaries and the
walinuxagent binaries don't seem to be setuid either.

In short, I don't think this could be used to get anything useful.

[Quality assurance]

 - "After installing the package it must be possible to make it
   working with a reasonable effort of configuration and documentation
   reading."

The package is available to use as a python module
immediately. Documentation is available in the standard Python way:

  >>> import distro
  >>> help(distro)

 - "The package must not ask debconf questions higher than medium if
   it is going to be installed by default. The debconf questions must
   have reasonable defaults."

There are no debconf questions.

 - "There are no long-term outstanding bugs which affect the usability
   of the program to a major degree. To support a package, we must be
   reasonably convinced that upstream supports and cares for the
   package."
 - "The status of important bugs in Debian's, Ubuntu's, and upstream's
   bug tracking systems must be evaluated. Important bugs must be
   pointed out and discussed in the MIR report."
 - "The package is maintained well in Debian/Ubuntu (check out the
   Debian PTS)"

{Upstream}

Looking at https://github.com/nir0s/distro, the latest commit was 15
days ago, and there seems to be steady, albeit slow, work on the
package with a view to releasing a version 2 at some point in the
future. It would seem that upstream suports and cares for the package.

Looking at issues at https://github.com/nir0s/distro/issues, there are
no open bugs that would affect Ubuntu, and certainly no major bugs.

{Debian}
See https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=python-distro
There is only 1 open bug, and it's a trivial documentation bug with no
impact on functionality, and it's already been fixed pending upload.
The only previous bug was a missing dependency on lsb-release which
was fixed in 2016.

{Ubuntu}
See https://bugs.launchpad.net/ubuntu/+source/python-distro
No bugs reported ever.

 - "The package should not deal with exotic hardware which we cannot
   support."

N/A

 - "If the package ships a test suite, ..., it should be run during
   package build, and a failing test suite should fail the build."

Tests are run during build with dh_auto_test.

 - "The package uses a debian/watch file whenever possible."

debian/watch is used.

 - "The package should not rely on obsolete or about to be demoted
   packages."

None. python2 is supported but not required and python3 has first
class support.

[UI standards]

N/A; no binaries shipped.

[Dependencies]

The only dependencies are lsb-release and python2/3, both in main.

[Standards compliance]

The package is built with the standard Debian python tooling, and
appears to put things in normal places. The source packaging is
minimal and simple. (Having said that, I'm not a policy expert, so I'd
may have missed something.)

[Maintenance]

This is a simple package. It appears to be well maintained in Debian,
so we should be able to keep it synced with Debian. It shouldn't
require any Ubuntu-specific maintenance.