Please SRU the pymacaroons stack to Trusty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libsodium (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
pymacaroons (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
python-libnacl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Python handling of macraroons is not yet available in Trusty.
From the description:
Macaroons, like cookies, are a form of bearer credential. Unlike opaque
tokens, macaroons embed caveats that define specific authorization
requirements for the target service, the service that issued the root
macaroon and which is capable of verifying the integrity of macaroons
it receives.
Macaroons allow for delegation and attenuation of authorization. They
are simple and fast to verify, and decouple authorization policy from
the enforcement of that policy.
* Modern entitlement handling is important and shall be used in as a
dependency of ubuntu-
enable Ubuntu Advantage support entitlement
* The packages do not exist in Trusty yet, so this is no update, but
instead will hit xenial new-queue.
* The developer working on UA Advantage client confirmed that the
versions in Xenial will be sufficient. Therefore we would want to
backport the Xenial versions to Trusty which will also make it more
easy to keep a sane upgrade path.
[Test Case]
* Use pymacarons e.g. via the quick start entry in the upstram project
https:/
Comment #3 has a test script attached to ease that.
* Since all of this is for the new UA-Tools to work on Trusty we can also
ask Chad Smith to run tests with UA-Tools there.
[Regression Potential]
* Things might not work as expected, but an actual regression is near
impossible since the packages are NEW to trusty. The one potential
regression that comes to mind is that programs could have had made
"try ... from pymacaron import API, letsgo; except: fallback".
This would then no more use the fallback code, but given that there was
no dependency to it back in Trusty this is very unlikely.
Even today the following searches are not too crowded:
https:/
https:/
And reverse depends show only snapcraft on top of that in Ubuntu
TL;DR a theoretical risk exists, but I really thinks it is not real to
bite us.
[Other Info]
* There is also a MIR going on to promote those packages to main in
Xenial / Trusty. See bug 1746772 bug 1621386 and bug 1817327
* There is a PPA that ensures buildability and can be used for further
pre-checks if needed It is at
https:/
* @SRU Team - it is important to accept those into proposed in the
right order as they are also build dependencies of each other.
That would be (and obviously each time waiting until it is
built and published in proposed):
libsodium -> python-libnacl -> pymacaroons
Changed in python-libnacl (Ubuntu Trusty): | |
status: | Fix Committed → Incomplete |
Changed in libsodium (Ubuntu Trusty): | |
status: | Fix Committed → Incomplete |
This is in Xenial and later, so fixed release there.
Added a bug Task for Trusty and changed my repositories to refer to this new bug number.