[MIR] cheetah

Bug #434704 reported by Scott Moser
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cheetah (Ubuntu)
Fix Released
High
Unassigned
Nominated for Karmic by Scott Moser

Bug Description

Binary package hint: python-cheetah

Please consider cheetah for inclusion into main. python-cheetah provides a template engine that is used by ec2-init.

Main Inclusion Report can be found at:
  * https://wiki.ubuntu.com/MainInclusionCheetah

Note, that python-cheetah is a dependency for other MIR:
 * ec2-init : bug 434693 : https://wiki.ubuntu.com/MainInclusionEc2-Init

Martin Pitt (pitti)
Changed in cheetah (Ubuntu):
assignee: nobody → Loïc Minier (lool)
summary: - Main Inclusion Request: cheetah
+ [MIR] cheetah
Revision history for this message
Chuck Short (zulcss) wrote :

Loic,

If you could get to this as soon as possible that would be great.

Thanks
chuck

Revision history for this message
Loïc Minier (lool) wrote :

I uploaded a couple of fixes.

debian/control.in is out of date (in Debian SVN too) *sigh*

I'm not 100% comfortable with the security approach; there are a bunch of eval()s and exec()s in there. Since it's a web development framework, I wouldn't like it if we promoted to main an insecure programming environment for instance.
  Albeit given it's planned use for EC2, I would be willing to promote this now and do a security review later.
I think the testsuite should really be enabled.

Please subscribe to bug mail.

FYI the upstream MANIFEST is bogus:
warning: no files found matching '*.cfg'
warning: no files found matching 'examples'
warning: no files found matching 'docs'
warning: no files found matching 'bin'
warning: no files found matching '*' under directory 'docs'
warning: no files found matching '*' under directory 'examples'

Does it directly (not through a library) process binary (video, audio, etc) or structured (PDF, etc) data ? No.
Err it certainly does; it processes templates and input vars.

Revision history for this message
Loïc Minier (lool) wrote :

Kees, I'm assigning to you to have a quick security look; don't think that should block the MIR though if it's just for ec2-init in karmic.

I personally only request enabling the testsuite and sub-ing to bug mail by the Ubuntu maintainers before promotion.

Changed in cheetah (Ubuntu):
assignee: Loïc Minier (lool) → Kees Cook (kees)
Revision history for this message
Loïc Minier (lool) wrote :

I uploaded another monkey which runs the testsuite against all python versions but ignores the failures (30 out of 2066); could you disable/fix/report upstream the relevant failures? Thanks!

Revision history for this message
Kees Cook (kees) wrote :

This seems generally okay to me. Since this is a templating system, exec tends to be unavoidable, but nothing really terrible jumps out at me. I'm curious how the genshi package compares to this package in functionality. I know it gets used a lot by some of the Landscape folks, and I know from experience that it generates safe XML and HTML output.

Changed in cheetah (Ubuntu):
status: New → In Progress
assignee: Kees Cook (kees) → nobody
Revision history for this message
Martin Pitt (pitti) wrote :

Promoted

Changed in cheetah (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.