[MIR] new dependencies of cherrypy3: jaraco.collections, jaraco.classes, jaraco.text, python-cheroot, python-jaraco.functools, python-tempora, python-portend, zc.lockfile

@James - will the openstack team own (and you do the reviews) on these ?

for reference - ceph-mgr uses cherrypy3 which is what pulls this into main.

jaraco.classes:

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

jaraco.collections:

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

jaraco.text

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

python-jaraco.functools

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

Would be nice to see the most recent upstream release but I don't consider this
a blocker for promotion.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is not packaged (2.6 vs 2.7.1)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Recommendation:
- Bump package version to most recent upstream release (not a blocker).

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

#7 was for python-portend

python-tempora:

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

Would be nice to see the most recent upstream release but I don't consider this
a blocker for promotion.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is not packaged (2.1.1 vs 4.0.2)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Recommendation:
- Bump package version to most recent upstream release (not a blocker).

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

python-cheroot:

[Summary]
This package provides a pure Python HTTP server implementation which is
used as part of CherryPy - as a result it needs a full security review.

The test suite for this package is currently skipped due to missing
dependencies - as this feels like a critical part of CherryPy I'd like
to see this deficiency resolved prior to promotion to Ubuntu main.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

Blockers:
- test suite present but currently skipped in packaging.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- current release less one patch release is currently packaged.
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

$ ./subscribe-to-package.py --user ubuntu-openstack --package jaraco.classes,jaraco.collections,jaraco.text,python-jaraco.functools,python-portend,python-temporaubuntu-openstack is now subscribed to all bugs about jaraco.classes.
ubuntu-openstack is now subscribed to all bugs about jaraco.collections.
ubuntu-openstack is now subscribed to all bugs about jaraco.text.
ubuntu-openstack is now subscribed to all bugs about python-jaraco.functools.
ubuntu-openstack is now subscribed to all bugs about python-portend.
ubuntu-openstack is now subscribed to all bugs about python-tempora.

zc.lockfile:

[Summary]
Fairly simple python package to support IPC locks under Python3

+1 from MIR team for promotion to main.

[Duplication]
OK:
- There are similar packages in main but this is a fairly trivial python
  module so no issue with some level of duplication.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zc.lockfile)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python
- test suite present and executed as part of package build

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged.
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

$ ./subscribe-to-package.py --user ubuntu-openstack --package zc.lockfile
ubuntu-openstack is now subscribed to all bugs about zc.lockfile.

All OK apart from python-cheroot which needs some further work to enable the test suite and will then need security team review.

Override component to main
jaraco.classes 3.2.1-2 in impish: universe/misc -> main
python3-jaraco.classes 3.2.1-2 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish i386: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
jaraco.collections 3.3.0-1 in impish: universe/misc -> main
python3-jaraco.collections 3.3.0-1 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish i386: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
jaraco.text 3.5.0-2 in impish: universe/misc -> main
python3-jaraco.text 3.5.0-2 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish i386: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-jaraco.functools 3.0.0-1 in impish: universe/misc -> main
python3-jaraco.functools 3.0.0-1 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish i386: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-portend 2.6-1 in impish: universe/misc -> main
python3-portend 2.6-1 in impish amd64: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish arm64: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish armhf: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish i386: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish ppc64el: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish riscv64: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-tempora 2.1.1-1 in impish: universe/misc -> main
python3-tempora 2.1.1-1 in impish amd64: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish arm64: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish armhf: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish i386: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish ppc64el: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish riscv64: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
zc.lockfile 2.0-1 in impish: universe/python -> main
python3-zc.lockfile 2.0-1 in impish amd64: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish arm64: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish armhf: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish i386: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Test suite execution during package build enabled (albeit with some tests disabled due to missing dependencies or requirements for newer versions of pytest modules).

Assigning task for Ubuntu Security team review.

Adding cherrypy3 task and update-excuse tag so this shows up under the cherrypy3 entry on excuses.

Hello,

I have been doing the security review for this package and before I can finalize it, I would like to address some possible issues and try to understand what might be their consequences:

(1) When building the package for analysis, I was unable to do so with testing activated. The tests hang at 19% and the build simply does not continue when it reaches this point. Of course, it could be that the test takes an extremely long time (I did not wait more than 2hrs before deciding to cancel the build and restart with tests deactivated), but either way, we need builds to finish
in order to support the package, and it would be ideal to include tests to make sure
that our updates are good ones. Is this a known issue? Is it possible I did something wrong when building? If it is indeed an issue, how could we solve it?

(2) While analyzing the code, I came across a function that creates Unix sockets with the 0777 permission set. This could be an issue, so I would like to know more about the uses that will be utilizing the Unix sockets functionality, as well as if they should be considering permissions other than 0777.

Thanks!
Regards,
Camila Camargo de Matos.

Changing python-cheroot back to "Incomplete" as we need feedback from the reporter about the security team's questions.

I reviewed python-cheroot 8.5.2+ds1-1ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

python-cheroot is a Python library that implements an HTTP server and includes a WSGI module.

- CVE History: No CVEs in our UCT database.
- The python-cheroot package is a Python library which is mainly used by CherryPy (however, it can be used by other frameworks and applications. It does not import cherrypy in order to allow this). It implements an HTTP server, and includes a WSGI module.
- Build-deps: debhelper-compat (= 13), dh-python (>= 2.20160609~),
  python3-all, python3-packaging, python3-pytest, python3-setuptools,
  python3-setuptools-scm-git-archive, python3-pytest-cov,
  python3-pytest-forked, python3-pytest-xdist, python3-pytest-mock,
  python3-jaraco.functools, python3-jaraco.text, python3-trustme,
  python3-openssl, python3-portend, python3-requests-unixsocket,
- Extensive networking
- Depends on the SSL library python3-openssl.
- Depends on the networking library python3-requests-unixsocket.
- Encryption imports: ssl, OpenSSL (seems to include both for compatibility reasons, if not specified, will use ssl related code by default).
- Networking imports: urllib (used mostly for parsing), socket, requests, requests_unixsocket, portend, requests_toolbelt.
- pre/post inst/rm scripts automatically generated dh_python*
- Does not daemonize.
- No init scripts.
- No systemd units, although the code seems to allow systemd socket activation.
- No dbus services.
- No setuid binaries.
- No binaries in PATH.
- No sudo fragments.
- No polkit files.
- No udev rules
- No cron jobs.
- The package contains a test folder with various Python tests specific for usage with python-cheroot (since it uses fixtures). They can be run locally and are included to the system during install. Nothing too alarming was found in the testing code. However, it is expected that this will be maintained together with the rest of the code. FIXME comments in tests indicate that this is the case.
- When tests are active for a build, the build hangs with 19% of the tests complete, it being killed with signal TERM after 150 minutes of inactivity. This applies to local builds made. In the test rebuild done in January for this package (more information available at: https://launchpadlibrarian.net/579489603/buildlog_ubuntu-jammy-amd64.python-cheroot_8.5.2+ds1-1ubuntu2_BUILDING.txt.gz and https://people.canonical.com/~ginggs/ftbfs-report/test-rebuild-20211217-jammy-jammy.html) it is possible to verify that the build also fails due to hanging tests (in this case, however, tests hang at
13%).

- A few subprocesses spawned, but the calls are being made in a sufficiently safe manner.
- No memory management (Python). No usage of the garbage collection library (gc).
- No files written to, only sockets. Certificate files are opened for reading and further processing. No issues related to possible file descriptor exhaustion or buffered file data being available for reading in case of a crash.
- Does not log any errors to files. All error messages are sent to stderr or are sent through raised exceptions to the user. Mos...

Thanks for the review, back on the openstack team to resolve the last few requests - then it is ready. Assigning it to James Page for that.

@ccdm94

Re the 777 permissions on the UNIX socket created in server.py - I guess it would make sense to allow the UNIX socket permissions to be hardened to be more limited. Seems like a desirable feature but I don't think this code path is used in the scope of this MIR (cherrypy3).

I did a read through the cherrypy3 usage of cheroot and AFAICT all of its usage of cheroot is via the network socket support rather than the UNIX socket support (socket_host/port configuration options).

On the hanging unit tests - this did not happen when I did the original test enablement and seems due to some other dependency change in Jammy - I'll dig into that.

The newer cheroot version in Debian is not an option as it has further test requirements that are not packaged.

The hanging tests appear related to the switch in default Py3 to 3.10 as the same tests pass fine with 3.9.

Looking upstream for a related fix.

bug 1965306 covers the fixes for compatibility with Python 3.10.

Assigning back to ubuntu-security for final review.

Security team ACK for promoting python-cheroot to main.

Thank you all,
to summarize we are now:

- MIR Ack
- Security Ack
=> Can be promoted to main from this POV

Currently we have:
 python-cheroot | 8.5.2+ds1-1ubuntu2 | jammy/universe | source
 python-cheroot | 8.5.2+ds1-1ubuntu3 | jammy-proposed/universe | source

That ubuntu3 version is the fix for the mentioned bug 1965306 and so far tests look good to me.

This can be promoted to main and promotion+bugfix should allow it to migrate to jammy-release.

P.S. I think we should just promote the version in -proposed which will - on migration - take that main-attribute into jammy-release.
Let me try to prepare this ...

FYI - Right now it seems this is all good, but waits for openstack-ubuntu-packagers to subscribe to the package. I've pinged #openstack about this.

The Team that needs to be subscribed is actually https://launchpad.net/~ubuntu-openstack but other than that my assessment above is still correct.

Subscription was added by James (thanks) now it was ready:

Override component to main
python-cheroot 8.5.2+ds1-1ubuntu3 in jammy: universe/misc -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy amd64: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy arm64: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy armhf: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy i386: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy ppc64el: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy riscv64: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy s390x: universe/python/optional/100% -> main
Override [y|N]? y
8 publications overridden.

I hope all of this combined lets things migrate now.