[MIR] python-cssselect

Updated to use the full template (choosing TODO-A or TODO-B as appropriate), should be ready for MIR review.

Review for Source Package: python-cssselect

[Summary]
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main: python3-cssselect
Specific binary packages built, but NOT to be promoted to main: <None>

- The package should get a team bug subscriber before being promoted

[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality.
The rationale given in the report seems valid and useful for Ubuntu.
This package is required in Ubuntu as a runtime dependency of lxml.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)

Problems:
- does parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python

Problems: None

[Packaging red flags]
OK:
 - Ubuntu does not carry a delta
TODO-A: - symbols tracking is in place.
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is slow
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tes...

I reviewed python-cssselect 1.2.0-2 as checked into noble. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.

python-cssselect is a python library to parse CSS3 selectors and translate
them to XPath 1.0 expressions. XPath 1.0 expressions can be used in lxml or
another XPath engine to find the matching elements in an XML or HTML
document.

- CVE History
  - No history and no current CVE to this package
- Build-Depends
  - python3-all, python3-lxml, python3-pytest, python3-setuptools
- pre/post inst/rm scripts
  - post-inst: byte compile python3-cssselect
  - pre-rm: removes .pyc and .pyo files for python3-cssselect
- init scripts
  - Not-available
- systemd units
  - Not-available
- dbus services
  - Not-available
- setuid binaries
  - Not-available
- binaries in PATH
  - Not-available
- sudo fragments
  - Not-available
- polkit files
  - Not-available
- udev rules
  - Not-available
- unit tests / autopkgtests
  - autopkgtests contains unit tests and it is running fine
- cron jobs
  - Not-available
- Build logs
  - These warnings are generated:
```
dpkg-source: warning: extracting unsigned source package (python-cssselect_1.2.0-2.dsc)
warning: no files found matching 'py.typed'
/usr/lib/python3/dist-packages/setuptools/_distutils/cmd.py:66: SetuptoolsDeprecationWarning: setup.py install is deprecated.
dpkg-gencontrol: warning: package python3-cssselect: substitution variable ${python3:Depends} unused, but is defined
```

- Processes spawned
  - None
- Memory management
  - None
- File IO
  - Looks good
- Logging
  - Not much of a logging in the code except in xpath.py where
    `warnings.warn()` is being used for logging
- Environment variable usage
  - None
- Use of privileged functions
  - None
- Use of cryptography / random number sources etc
  - None
- Use of temp files
  - None
- Use of networking
  - None
- Use of WebKit
  - None
- Use of PolicyKit
  - None

- Any significant cppcheck results
  - No result
- Any significant Coverity results
  - No result
- Any significant shellcheck results
  - No result
- Any significant bandit results
  - None, looks fine
- Any significant govulncheck results
  - No result
- Any significant Semgrep results
  - No result

There are no open security issues upstream. The maintainers are not very
active in fixing opened issues/enhancement PRs. Their last few commits on
the package were to add support for new Python versions. The last version
published for this package was in Oct'22. The noble release uses the latest
available version upstream.

One recommendation for the owning team is to review and fix the build
warnings. Security team ACK for promoting python-cssselect to main.

Thanks for the positive MIR & security reviews! I agree the deprecation warnings should be looked into, but this isn't a blocker.

I've subscribed ~foundations-bugs to this package and moving it to "Fix Committed", as it's already showing up in component-mismatches, ready for AAs to promote it.

Thanks for everyone being involved, this is indeed ready for promotion to main.

There only is:
 python-cssselect | 1.2.0-2 | noble/universe | source

Pulled in by lxml

Override component to main
python-cssselect 1.2.0-2 in noble: universe/python -> main
python3-cssselect 1.2.0-2 in noble amd64: universe/python/extra/100% -> main
python3-cssselect 1.2.0-2 in noble arm64: universe/python/extra/100% -> main
python3-cssselect 1.2.0-2 in noble armhf: universe/python/extra/100% -> main
python3-cssselect 1.2.0-2 in noble i386: universe/python/extra/100% -> main
python3-cssselect 1.2.0-2 in noble ppc64el: universe/python/extra/100% -> main
python3-cssselect 1.2.0-2 in noble riscv64: universe/python/extra/100% -> main
python3-cssselect 1.2.0-2 in noble s390x: universe/python/extra/100% -> main
Override [y|N]? y
8 publications overridden.