Ubuntu
flufl.lock package

  1. Bug #1820193
  2. Comment #1

Comment 1 for bug 1820193

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[Duplication]
This provides NFS save locks with timeout functionality.
Some projects implmented their own fctnlf bits while others use python-lockfile.
But there are more 8for example here [1]) than just these.
python-lockfile is deprecated in favor of fastener or oslo-concurrency [2].
The latter would even be in main but actually is about locking functions.
Finally none of those provide timeouts on the locks as mailman needs it from
flufl.

That said, while I think there is a proliferation of python lock implementations
in general. In this case we can't point to another one to be used.

[1]: https://stackoverflow.com/a/34124007/6361589
[2]: https://pypi.org/project/lockfile/

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication
- processes arbitrary web content
- parse data formats
=> Therefore IMHO there is no security review needed for this.

[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilizes (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder

[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above it will not need a security review.