[MIR] cheetah

Bug #434704 reported by Scott Moser on 2009-09-22
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cheetah (Ubuntu)
High
Unassigned
Nominated for Karmic by Scott Moser

Bug Description

Binary package hint: python-cheetah

Please consider cheetah for inclusion into main. python-cheetah provides a template engine that is used by ec2-init.

Main Inclusion Report can be found at:
  * https://wiki.ubuntu.com/MainInclusionCheetah

Note, that python-cheetah is a dependency for other MIR:
 * ec2-init : bug 434693 : https://wiki.ubuntu.com/MainInclusionEc2-Init

Martin Pitt (pitti) on 2009-09-23
Changed in cheetah (Ubuntu):
assignee: nobody → Loïc Minier (lool)
summary: - Main Inclusion Request: cheetah
+ [MIR] cheetah
Chuck Short (zulcss) wrote :

Loic,

If you could get to this as soon as possible that would be great.

Thanks
chuck

Loïc Minier (lool) wrote :

I uploaded a couple of fixes.

debian/control.in is out of date (in Debian SVN too) *sigh*

I'm not 100% comfortable with the security approach; there are a bunch of eval()s and exec()s in there. Since it's a web development framework, I wouldn't like it if we promoted to main an insecure programming environment for instance.
  Albeit given it's planned use for EC2, I would be willing to promote this now and do a security review later.
I think the testsuite should really be enabled.

Please subscribe to bug mail.

FYI the upstream MANIFEST is bogus:
warning: no files found matching '*.cfg'
warning: no files found matching 'examples'
warning: no files found matching 'docs'
warning: no files found matching 'bin'
warning: no files found matching '*' under directory 'docs'
warning: no files found matching '*' under directory 'examples'

Does it directly (not through a library) process binary (video, audio, etc) or structured (PDF, etc) data ? No.
Err it certainly does; it processes templates and input vars.

Loïc Minier (lool) wrote :

Kees, I'm assigning to you to have a quick security look; don't think that should block the MIR though if it's just for ec2-init in karmic.

I personally only request enabling the testsuite and sub-ing to bug mail by the Ubuntu maintainers before promotion.

Changed in cheetah (Ubuntu):
assignee: Loïc Minier (lool) → Kees Cook (kees)
Loïc Minier (lool) wrote :

I uploaded another monkey which runs the testsuite against all python versions but ignores the failures (30 out of 2066); could you disable/fix/report upstream the relevant failures? Thanks!

Kees Cook (kees) wrote :

This seems generally okay to me. Since this is a templating system, exec tends to be unavoidable, but nothing really terrible jumps out at me. I'm curious how the genshi package compares to this package in functionality. I know it gets used a lot by some of the Landscape folks, and I know from experience that it generates safe XML and HTML output.

Changed in cheetah (Ubuntu):
status: New → In Progress
assignee: Kees Cook (kees) → nobody
Martin Pitt (pitti) wrote :

Promoted

Changed in cheetah (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers