[MIR] mailman-hyperkitty as dependency of mailman3
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mailman-hyperkitty (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
[Availability]
The package is already universe for quite a while and build/works fine so far.
It is for example already used for https:/
This source builds only python3-
[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:
Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.
While mailman3 is an evlution of mailman2 this is all new code as the old default archiving was the built in pipermail archiver.
There are alternative archivers (also for mailman2) but hyperkitty is the one coming with the mailman3 stack.
[Security]
No known CVEs found.
A few old issues can be found against mailman2 and one (but long fixed) for mailman 3
=> https:/
Nothing at all for hyperkitty.
[Quality assurance]
The mailman3 stacks as of now (Disco) installs fine and provides a base
config. But due to the nature of the package that needs further modification
to be of real use.
The package does not ask debconf questions higher than medium and is not installed by default.
Zero known bugs in Ubuntu and Debian for this component.
There are no regular upstream releases (might be just stable) but Debian packages fixes regularly.
No exotic HW involved.
No build time tests as it needs active servers, but implmented as dep8 tests in this and several other packages of the mailman stack packages.
d/watch is set up and ok.
No Lintian warning except fairly recent newer Standards version.
The package does not rely on demoted or obsolete packages.
[UI standards]
Comes with 7 translations in .po files
No End-user applications that needs a standard conformant desktop file.
[Dependencies]
Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.
[Standards compliance]
The package meets the FHS and Debian Policy standards.
The packaging itself is very straight forward and uses dh_* as much as possible - the d/rules fits on one screen.
[Maintenance]
The Server team will subscribe for the package for maintenance
[Background]
The package description explains the general purpose and context of the package well.
| Christian Ehrhardt (paelzer) wrote | #1 |
| Changed in mailman-hyperkitty (Ubuntu): | |
| assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
| Changed in mailman-hyperkitty (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Christian Ehrhardt (paelzer) wrote | #2 |
| Changed in mailman-hyperkitty (Ubuntu): | |
| status: | New → Won't Fix |
[Duplication]
This is part of the six core packages of mailman3 that pull in further components as needed.
Since this represents mailman doing mailing list processing there is a duplication to mailman2.
But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
But there is enough for mailman2 (and a bit for 3) that we should expect not (much) less in the future when it becomes more widely used.
=> https:/
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- parse data formats
But it does:
- processes arbitrary web (actually mail) content
The archiver is pluggable, this is the plugin to link up hyperkitty (the default official archiver) with mailman3.
And while it justs hands over the mails those elements are often neglected and end up being the insecure ones.
A security review is recommended on this package.
[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- no build time tests, but tests run as autopkgtest (as they need services up)
[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build
- a few deprectation warnings e.g. collections.abc that will die with python 3.8, but those are all actually from packages it depends on. I'm pretty sure they will adopt over time (alembic, sqlalchemy, urllib3, lazr) only urllib3 is the one dying with 3.8
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is recommended.
Assigning the security Team.