[MIR] python-tabulate (dependency of cinder)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-tabulate (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
[Availability]
In universe
[Rationale]
Taken from the upstream commit that makes this change:
PrettyTable is no longer maintained and the last release was in 2013.
There are starting to be deprecation warnings emitted with newer Python
releases.
Various attempts to revive a fork haven't gained much traction. A common
recommendation is to move away from PrettyTable to tabulate. This
switches our usage to a close equivalent using that library instead.
[Security]
No security history
https:/
[Quality assurance]
Package has unit tests which are run as part of the package build.
[Dependencies]
All in main
[Standards compliance]
OK-ish - simple package but not updated to latest Standards-Version
[Maintenance]
Not that well maintained in Debian - last update was an NMU in October 2019 to remove Py2 support. More recent updates in Ubuntu to bump version and execute unit tests as part of package builld.
[Background information]
tabulate provides similar function to prettytable - however not all openstack projects have made the switch and there are other reverse-depends in main for python3-
$ reverse-depends -c main python3-prettytable
Reverse-Depends
* ceph-common [amd64 arm64 armhf ppc64el s390x]
* python3-automaton
* python3-
* python3-
* python3-cinder
* python3-
* python3-cliff
* python3-futurist
* python3-glance
* python3-
* python3-heatclient
* python3-
* python3-
* python3-
* python3-nova
* python3-novaclient
* python3-
* python3-osprofiler
* python3-
* python3-
* python3-troveclient
That said it formats output for python applications so would be considered fairly low risk from a security perspective so having two similar pkgs in main but be more palatable.
Changed in python-tabulate (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Ubuntu OpenStack (ubuntu-openstack) |
description: | updated |
Changed in python-tabulate (Ubuntu): | |
status: | Incomplete → New |
assignee: | Ubuntu OpenStack (ubuntu-openstack) → nobody |
Changed in python-tabulate (Ubuntu): | |
status: | Incomplete → New |
[Summary]
Other than the known - but sort of accepted - duplication issue this LGTM.
Following the rules this also needs security review, and for an ack you also
need to add the team subscription.
@Openstack:
- please subscribe to the package and ping back here.
- thanks for improving and going ahead of Debian, but please continue to
put attention onto the package.
@Security - review needed, but should be small and fast
[Duplication]
There is the duplication issue with python3-prettytable that was already
mentioned in the description.
But the reasoning for the duplication rule is to keep maintenance effort
reasonable, this one does not seem to increase that a lot.
For now there seems to be no way to do openstack without it and switching that
to python3-prettytable seems just as un-practical than vice versa.
Never the less I'd want to ask the Openstack Team after the current releases
are done to check how doable a switch to python-tabulate would be for the
remaining rev-deps. Can (and most likely is) be "not doable", but then we
know instead of guess.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problems:
- it does not parse data formats to render them
I'm torn as this is really minimal, but following the rules there could be
something in here that could be exploited by people manipulating the data.
And that way people might breach into a more important program that depends/uses
python-tabulate.
This is small, so the review should be quick - but I'd ask to do one (better
safe than sorry)
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- used dh_python
Problems: ubuntu- packagers) isn't subscribed yet
- does not have a test suite that runs as autopkgtest (probably ok for this as
itself only depends on python3)
- ubuntu-openstack (nor openstack-
[Packaging red flags]
OK:
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is sporadic, but you fixed that - thanks
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs
that so far maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- not using Built-Using
Problems:
- Ubuntu does carry a delta, but it is reasonable and maintenance under control
I mean thanks for updating and enabling the tests, but just be clear that
therefore this package seems to be more on you than usual.
Please plan to n...