[MIR] horizon

 - the copyright and license for the packaging seems to wrong is missing
 - why are the tests run during the build, but test results ignored?
 - please subscribe to the package bug reports

- the copyright information was added in 2012.1~rc1~20120308.1479-0ubuntu1

~ubuntu-server subscribed to bugmail.

I performed a shallow review of horizon:

CVE history: no, but the code is new. That said, upstream is very responsive and the server team is committed to it and active with upstream.

Embeds some jquery scripts from jquery-goodies (they are newer than what is in the archive) in horizon/static/horizon/js/jquery/

Not lintian clean

No upstart jobs or initscripts, no dbus services or setuid programs. No cron jobs. No sudoers fragments.

Uses python-django, so a lot of security features are enabled (CSRF protections (verified in use), etc)

Allows downloading of EC2 and OpenStack credentials. The openstack .rc file that is downloaded prompts for the password, so that is good (though the OS_USERNAME and OS_TENANT_NAME are in there). The EC2 credentials give the EC2_ACCESS_KEY and EC2_SECRET_KEY. This is all delivered over http. The http://openstack/settings/* pages should probably warn that this is happening over an insecure connection. Setting up apache to use ssl and accessing horizon works fine.

horizon connects to keystone via http://, so it needs to be on a protected LAN.

http://openstack/nova/images_and_snapshots/ gave me a full traceback. The packaging should be adjusted to hide these as it might provide information to an attacker. Specifically at the bottom of the page I see: "You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 500 page."

Other pages with tracebacks (related to usage I think):
http://openstack/nova/instances_and_volumes/
http://openstack/nova/images_and_snapshots/

Conditional ACK provided the following are addressed:
- set 'DEBUG = False'
- while an administrator should know that setting up horizon for access over http:// would expose credentials, it would be good if the settings pages warned if the user was accessing the urls via http:// in some manner
- a release note should be added that horizon needs to connect to keystone over a protected network (LP: #978963)

This: "while an administrator should know that setting up horizon for access over http:// would expose credentials, it would be good if the settings pages warned if the user was accessing the urls via http:// in some manner". If it is not fixed, it would be acceptable to mention it in a release note.

See http://people.canonical.com/~ubuntu-archive/component-mismatches.svg, this needs an additional MIR for cherrypy3.

@pitti the dep on cherrypy3 is resolved (dropped), and the other MIR criteria has been resolved. There is an open bug task for release notes regarding insecure content.

Thanks.

Promoted.