Comment 9 for bug 1854362

For python-configshell-fb

[Summary]
- Overall looks ok, MIR Team ack
- @Openstack team: it would be great if you'd would fix https://bugs.launchpad.net/ubuntu/+source/python-configshell-fb/+bug/1776761
  If you happen to UCA port this to 18.04 that might help anyway (unless you plan to add that package to UCA itself)
- While attack surface seems minimal the value of getting in seems high in this case, so security should have a look (assigning them)

[Duplication]
There is duplication around this project but not in Main.
https://pypi.org/project/configshell-fb/ belongs to https://github.com/open-iscsi/configshell-fb
Those are all forks and a project has to live in either "all -fb or none" world to work.
But Debian/Ubuntu run the -fb path of this everywhere, so that is good.

[Embedded sources and static linking]
- no embedded sources
- no static linking (python)
- no golang package

[Security]
- no CVE history
- no daemon as root
- no use of webkit1,2
- no use of lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

But:
- does parse data formats from caller and coming back from configshell-fb
In general since this deals with setting up storage access to critical data is close.
OTOH attack surface is low as you'd need to have control of the application or the storage already.
Never the less it seems reasonable to ask security to have a look.

[Common blockers]
- builds fine atm
- unfortunately there is no test suite (neither build time nor autopkgtest)
- ubuntu-openstack is already subscribed to bugs of this
- no translations available (none needed for this case)
- dh helpers for python are used
- python2 packages present but not part of the dependency that will pull it into main

[Packaging red flags]
- no Ubuntu delta
- no symbols tracking in python to consider
- watch file is present
- Upstreams releases are not rare, but at what seems random intervals
  - Debian usually packages those quite well being up to date or one behind
  - E.g. the current release isn't packaged but the delta 1.1.25 -> 1.1.27 seems negligible so that is overall ok
- not causing problems for MOTUs
- no massive Lintian warnings
- d/rules is very small and clear
- no Built-Using
- no go package for further considerations

[Upstream red flags]
- no critical Errors/warnings during the build
- no Incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no User nobody
- no use of setuid
- No important bugs (crashers, etc) in Debian or Ubuntu going forward
  - https://bugs.launchpad.net/ubuntu/+source/python-configshell-fb/+bug/1776761 ould be nice to be SRUed I guess
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI