[MIR] new dependencies of cherrypy3: jaraco.collections, jaraco.classes, jaraco.text, python-cheroot, python-jaraco.functools, python-tempora, python-portend, zc.lockfile

Bug #1930111 reported by Stefano Rivera
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cherrypy3 (Ubuntu)
In Progress
Undecided
Unassigned
jaraco.classes (Ubuntu)
Fix Released
Undecided
Unassigned
jaraco.collections (Ubuntu)
Fix Released
Undecided
Unassigned
jaraco.text (Ubuntu)
Fix Released
Undecided
Unassigned
python-cheroot (Ubuntu)
Fix Released
Undecided
Unassigned
python-jaraco.functools (Ubuntu)
Fix Released
Undecided
Unassigned
python-portend (Ubuntu)
Fix Released
Undecided
Unassigned
python-tempora (Ubuntu)
Fix Released
Undecided
Unassigned
zc.lockfile (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
All packages are already in universe, and in sync with Debian.
They are all architecture independent.
jaraco.classes, jaraco.collections is new to Debian & Ubuntu (currently only in experimental), and portend and jaraco.functools are relatively new, since 2019
cheroot and zc.lockfile have been in Debian & Ubuntu for many years.

[Rationale]
Dependencies of the new cherrypy3 18.6.0-1 release.

[Security]
No security issues ever reported for any of these libraries.

[Quality assurance]
All the packages are simple Python libraries, no configuration or debconf questions.
No open bugs in Debian or Ubuntu.
jaraco.classes, jaraco.collections, jaraco.functools, jaraco.text, portend, tempora, and zc.lockfiles's test suites are run at build time.
cheroot's test suite is not run at build time, due to missing dependencies in the archive (jaraco.context).
No significant lintian issues, although jaraco.functools, portend, tempora and zc.lockfile could fix some obvious trivial issues.

[Dependencies]
This issue is for a set of dependencies for cherrypy3

[Standards compliance]
Packages are simple python libraries, installed to the correct locations, and lintian clean (except old standards versions, compats, etc.)

[Maintenance]
All packages seem relatively well maintained upstream, and are a few years old at this point.
jaraco.classes, jaraco.collections, jaraco.functools, ported, and tempora have 0 open issues and pull requests, upstream.
chreroot has tens of open issues and pull requests, but the project hasn't stagnated, it just seems to be being actively developed.
zc.lockfile has seen no commits since 2019, but doesn't have issues and PRs piling up.

[Background information]

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@James - will the openstack team own (and you do the reviews) on these ?

Changed in jaraco.classes (Ubuntu):
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

for reference - ceph-mgr uses cherrypy3 which is what pulls this into main.

Revision history for this message
James Page (james-page) wrote :

jaraco.classes:

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in jaraco.classes (Ubuntu):
status: New → Fix Committed
Changed in jaraco.collections (Ubuntu):
status: New → Fix Committed
Revision history for this message
James Page (james-page) wrote :

jaraco.collections:

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Revision history for this message
James Page (james-page) wrote :

jaraco.text

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in jaraco.text (Ubuntu):
status: New → Fix Committed
Changed in python-jaraco.functools (Ubuntu):
status: New → Fix Committed
Revision history for this message
James Page (james-page) wrote :

python-jaraco.functools

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in python-portend (Ubuntu):
status: New → Fix Committed
Revision history for this message
James Page (james-page) wrote :

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

Would be nice to see the most recent upstream release but I don't consider this
a blocker for promotion.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is not packaged (2.6 vs 2.7.1)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Recommendation:
- Bump package version to most recent upstream release (not a blocker).

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Revision history for this message
James Page (james-page) wrote :

#7 was for python-portend

Revision history for this message
James Page (james-page) wrote :

python-tempora:

[Summary]
Looks OK from my perspective for promotion to main and no security review needed.

Would be nice to see the most recent upstream release but I don't consider this
a blocker for promotion.

+1 from MIR team.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is not packaged (2.1.1 vs 4.0.2)
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

Recommendation:
- Bump package version to most recent upstream release (not a blocker).

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Revision history for this message
James Page (james-page) wrote :

python-cheroot:

[Summary]
This package provides a pure Python HTTP server implementation which is
used as part of CherryPy - as a result it needs a full security review.

The test suite for this package is currently skipped due to missing
dependencies - as this feels like a critical part of CherryPy I'd like
to see this deficiency resolved prior to promotion to Ubuntu main.

[Duplication]
OK:
- There is no other package in main providing the same functionality.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jaraco)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python

Blockers:
- test suite present but currently skipped in packaging.

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- current release less one patch release is currently packaged.
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in python-cheroot (Ubuntu):
status: New → Incomplete
Changed in python-tempora (Ubuntu):
status: New → Fix Committed
Changed in jaraco.classes (Ubuntu):
assignee: James Page (james-page) → nobody
Revision history for this message
James Page (james-page) wrote :

$ ./subscribe-to-package.py --user ubuntu-openstack --package jaraco.classes,jaraco.collections,jaraco.text,python-jaraco.functools,python-portend,python-temporaubuntu-openstack is now subscribed to all bugs about jaraco.classes.
ubuntu-openstack is now subscribed to all bugs about jaraco.collections.
ubuntu-openstack is now subscribed to all bugs about jaraco.text.
ubuntu-openstack is now subscribed to all bugs about python-jaraco.functools.
ubuntu-openstack is now subscribed to all bugs about python-portend.
ubuntu-openstack is now subscribed to all bugs about python-tempora.

Changed in zc.lockfile (Ubuntu):
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

zc.lockfile:

[Summary]
Fairly simple python package to support IPC locks under Python3

+1 from MIR team for promotion to main.

[Duplication]
OK:
- There are similar packages in main but this is a fairly trivial python
  module so no issue with some level of duplication.

[Dependencies]
OK:
- All covered on this MIR bug.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- no history of CVE's (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zc.lockfile)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest
- The package has a team bug subscriber
- no translation present, but none needed for this case
- no new python2 dependency
- Python package that is using dh_python
- test suite present and executed as part of package build

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Relatively new package so no update history
- the current release is packaged.
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Changed in zc.lockfile (Ubuntu):
status: New → Fix Committed
assignee: James Page (james-page) → nobody
Revision history for this message
James Page (james-page) wrote :

$ ./subscribe-to-package.py --user ubuntu-openstack --package zc.lockfile
ubuntu-openstack is now subscribed to all bugs about zc.lockfile.

Revision history for this message
James Page (james-page) wrote :

All OK apart from python-cheroot which needs some further work to enable the test suite and will then need security team review.

Changed in python-cheroot (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
jaraco.classes 3.2.1-2 in impish: universe/misc -> main
python3-jaraco.classes 3.2.1-2 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish i386: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.classes 3.2.1-2 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in jaraco.classes (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
jaraco.collections 3.3.0-1 in impish: universe/misc -> main
python3-jaraco.collections 3.3.0-1 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish i386: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.collections 3.3.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in jaraco.collections (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
jaraco.text 3.5.0-2 in impish: universe/misc -> main
python3-jaraco.text 3.5.0-2 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish i386: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.text 3.5.0-2 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in jaraco.text (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
python-jaraco.functools 3.0.0-1 in impish: universe/misc -> main
python3-jaraco.functools 3.0.0-1 in impish amd64: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish arm64: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish armhf: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish i386: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-jaraco.functools 3.0.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in python-jaraco.functools (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
python-portend 2.6-1 in impish: universe/misc -> main
python3-portend 2.6-1 in impish amd64: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish arm64: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish armhf: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish i386: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish ppc64el: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish riscv64: universe/python/optional/100% -> main
python3-portend 2.6-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in python-portend (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
python-tempora 2.1.1-1 in impish: universe/misc -> main
python3-tempora 2.1.1-1 in impish amd64: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish arm64: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish armhf: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish i386: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish ppc64el: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish riscv64: universe/python/optional/100% -> main
python3-tempora 2.1.1-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in python-tempora (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
zc.lockfile 2.0-1 in impish: universe/python -> main
python3-zc.lockfile 2.0-1 in impish amd64: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish arm64: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish armhf: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish i386: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-zc.lockfile 2.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in zc.lockfile (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
James Page (james-page) wrote :

Test suite execution during package build enabled (albeit with some tests disabled due to missing dependencies or requirements for newer versions of pytest modules).

Assigning task for Ubuntu Security team review.

Changed in python-cheroot (Ubuntu):
status: Incomplete → New
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Adding cherrypy3 task and update-excuse tag so this shows up under the cherrypy3 entry on excuses.

Changed in cherrypy3 (Ubuntu):
status: New → In Progress
tags: added: update-excuse
Changed in python-cheroot (Ubuntu):
status: New → In Progress
Revision history for this message
Camila Camargo de Matos (ccdm94) wrote :

Hello,

I have been doing the security review for this package and before I can finalize it, I would like to address some possible issues and try to understand what might be their consequences:

(1) When building the package for analysis, I was unable to do so with testing activated. The tests hang at 19% and the build simply does not continue when it reaches this point. Of course, it could be that the test takes an extremely long time (I did not wait more than 2hrs before deciding to cancel the build and restart with tests deactivated), but either way, we need builds to finish
in order to support the package, and it would be ideal to include tests to make sure
that our updates are good ones. Is this a known issue? Is it possible I did something wrong when building? If it is indeed an issue, how could we solve it?

(2) While analyzing the code, I came across a function that creates Unix sockets with the 0777 permission set. This could be an issue, so I would like to know more about the uses that will be utilizing the Unix sockets functionality, as well as if they should be considering permissions other than 0777.

Thanks!
Regards,
Camila Camargo de Matos.

Revision history for this message
Lukas Märdian (slyon) wrote :

Changing python-cheroot back to "Incomplete" as we need feedback from the reporter about the security team's questions.

Changed in python-cheroot (Ubuntu):
status: In Progress → Incomplete
Revision history for this message
Camila Camargo de Matos (ccdm94) wrote (last edit ):
Download full text (6.2 KiB)

I reviewed python-cheroot 8.5.2+ds1-1ubuntu2 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

python-cheroot is a Python library that implements an HTTP server and includes a WSGI module.

- CVE History: No CVEs in our UCT database.
- The python-cheroot package is a Python library which is mainly used by CherryPy (however, it can be used by other frameworks and applications. It does not import cherrypy in order to allow this). It implements an HTTP server, and includes a WSGI module.
- Build-deps: debhelper-compat (= 13), dh-python (>= 2.20160609~),
  python3-all, python3-packaging, python3-pytest, python3-setuptools,
  python3-setuptools-scm-git-archive, python3-pytest-cov,
  python3-pytest-forked, python3-pytest-xdist, python3-pytest-mock,
  python3-jaraco.functools, python3-jaraco.text, python3-trustme,
  python3-openssl, python3-portend, python3-requests-unixsocket,
- Extensive networking
- Depends on the SSL library python3-openssl.
- Depends on the networking library python3-requests-unixsocket.
- Encryption imports: ssl, OpenSSL (seems to include both for compatibility reasons, if not specified, will use ssl related code by default).
- Networking imports: urllib (used mostly for parsing), socket, requests, requests_unixsocket, portend, requests_toolbelt.
- pre/post inst/rm scripts automatically generated dh_python*
- Does not daemonize.
- No init scripts.
- No systemd units, although the code seems to allow systemd socket activation.
- No dbus services.
- No setuid binaries.
- No binaries in PATH.
- No sudo fragments.
- No polkit files.
- No udev rules
- No cron jobs.
- The package contains a test folder with various Python tests specific for usage with python-cheroot (since it uses fixtures). They can be run locally and are included to the system during install. Nothing too alarming was found in the testing code. However, it is expected that this will be maintained together with the rest of the code. FIXME comments in tests indicate that this is the case.
- When tests are active for a build, the build hangs with 19% of the tests complete, it being killed with signal TERM after 150 minutes of inactivity. This applies to local builds made. In the test rebuild done in January for this package (more information available at: https://launchpadlibrarian.net/579489603/buildlog_ubuntu-jammy-amd64.python-cheroot_8.5.2+ds1-1ubuntu2_BUILDING.txt.gz and https://people.canonical.com/~ginggs/ftbfs-report/test-rebuild-20211217-jammy-jammy.html) it is possible to verify that the build also fails due to hanging tests (in this case, however, tests hang at
13%).

- A few subprocesses spawned, but the calls are being made in a sufficiently safe manner.
- No memory management (Python). No usage of the garbage collection library (gc).
- No files written to, only sockets. Certificate files are opened for reading and further processing. No issues related to possible file descriptor exhaustion or buffered file data being available for reading in case of a crash.
- Does not log any errors to files. All error messages are sent to stderr or are sent through raised exceptions to the user. Mos...

Read more...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the review, back on the openstack team to resolve the last few requests - then it is ready. Assigning it to James Page for that.

Changed in python-cheroot (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

@ccdm94

Re the 777 permissions on the UNIX socket created in server.py - I guess it would make sense to allow the UNIX socket permissions to be hardened to be more limited. Seems like a desirable feature but I don't think this code path is used in the scope of this MIR (cherrypy3).

I did a read through the cherrypy3 usage of cheroot and AFAICT all of its usage of cheroot is via the network socket support rather than the UNIX socket support (socket_host/port configuration options).

Changed in python-cheroot (Ubuntu):
status: Incomplete → New
Revision history for this message
James Page (james-page) wrote :

On the hanging unit tests - this did not happen when I did the original test enablement and seems due to some other dependency change in Jammy - I'll dig into that.

The newer cheroot version in Debian is not an option as it has further test requirements that are not packaged.

Changed in python-cheroot (Ubuntu):
status: New → Incomplete
Revision history for this message
James Page (james-page) wrote :

The hanging tests appear related to the switch in default Py3 to 3.10 as the same tests pass fine with 3.9.

Looking upstream for a related fix.

Revision history for this message
James Page (james-page) wrote :

bug 1965306 covers the fixes for compatibility with Python 3.10.

Changed in python-cheroot (Ubuntu):
status: Incomplete → New
Revision history for this message
James Page (james-page) wrote :

Assigning back to ubuntu-security for final review.

Changed in python-cheroot (Ubuntu):
assignee: James Page (james-page) → nobody
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Camila Camargo de Matos (ccdm94) wrote :

Security team ACK for promoting python-cheroot to main.

Changed in python-cheroot (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you all,
to summarize we are now:

- MIR Ack
- Security Ack
=> Can be promoted to main from this POV

Currently we have:
 python-cheroot | 8.5.2+ds1-1ubuntu2 | jammy/universe | source
 python-cheroot | 8.5.2+ds1-1ubuntu3 | jammy-proposed/universe | source

That ubuntu3 version is the fix for the mentioned bug 1965306 and so far tests look good to me.

This can be promoted to main and promotion+bugfix should allow it to migrate to jammy-release.

P.S. I think we should just promote the version in -proposed which will - on migration - take that main-attribute into jammy-release.
Let me try to prepare this ...

Changed in python-cheroot (Ubuntu):
status: New → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - Right now it seems this is all good, but waits for openstack-ubuntu-packagers to subscribe to the package. I've pinged #openstack about this.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The Team that needs to be subscribed is actually https://launchpad.net/~ubuntu-openstack but other than that my assessment above is still correct.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Subscription was added by James (thanks) now it was ready:

Override component to main
python-cheroot 8.5.2+ds1-1ubuntu3 in jammy: universe/misc -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy amd64: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy arm64: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy armhf: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy i386: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy ppc64el: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy riscv64: universe/python/optional/100% -> main
python3-cheroot 8.5.2+ds1-1ubuntu3 in jammy s390x: universe/python/optional/100% -> main
Override [y|N]? y
8 publications overridden.

I hope all of this combined lets things migrate now.

Changed in python-cheroot (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers