[MIR] jeepney

Bug #1861268 reported by Dmitry Shachnev
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
jeepney (Ubuntu)
Medium
Unassigned
python-secretstorage (Ubuntu)
Undecided
Unassigned

Bug Description

[Availability]
Available in Ubuntu Focal.

[Rationale]
python-secretstorage, which is in main because it's a dependency of python-keyring, has been using dbus-python for a long time. However, as dbus-python's README says, it “might not be the best D-Bus binding for you to use”:
https://gitlab.freedesktop.org/dbus/dbus-python/blob/dbus-python-1.2.16/README#L13

Also, the Freedesktop wiki lists dbus-python among “Obsolete libraries”:
https://www.freedesktop.org/wiki/Software/DBusBindings/#obsoletelibraries

So the new release of secretstorage is now using jeepney, a lightweight pure Python D-Bus implementation instead of dbus-python (which was written in C).

[Security]
No security history.

[Quality assurance]
Upstream has a test suite, and it is being run during package build:
https://launchpadlibrarian.net/459048962/buildlog_ubuntu-focal-amd64.jeepney_0.4.2-1_BUILDING.txt.gz

There is also an autopkgtest:
http://autopkgtest.ubuntu.com/packages/jeepney

[Dependencies]
Depends: python3:any
Build-Depends: debhelper-compat (= 12), dh-python, python3-all, python3-pytest, python3-sphinx, python3-sphinx-rtd-theme, python3-testpath

[Standards compliance]
Standards-Version: 4.4.1

[Maintenance]
Maintained upstream in https://gitlab.com/takluyver/jeepney.

Maintained in Debian by me under the umbrella of Debian Python modules team. Maintenance is very simple, debian/rules is just 18 lines.

description: updated
description: updated
James Page (james-page)
Changed in jeepney (Ubuntu):
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

Looking at the reverse-depends in main for python3-keyring:

$ reverse-depends -c main python3-keyring
Reverse-Depends
* python3-keystoneclient
* python3-launchpadlib
* python3-novaclient
* python3-openstackclient

keystoneclient has optional support for keyring (so could demote Depends->Suggests), novaclient and openstackclient have dropped support for keyring.

python3-launchpadlib does require use of keyring still.

Revision history for this message
James Page (james-page) wrote :

[Summary]
Alternative D-Bus implementation for Python applications.

MIR team -1 due to duplication of function; if we could switch over all reverse-depends in main this switch would be re-considered.

I've asked the Ubuntu OpenStack team to review use of python3-keyring to see if we can remove 3/4 of the reverse-depends that hold keyring in main - launchpadlib seems to be a potential blocker.

Would require security team review due to integration with D-Bus.

[Duplication]
Pure Python DBus implementation, fulfilling the same function as dbus-python.

python-secretstorage has migrated to jeepney, however there are a large number of other packages that still depend on python3-dbus:

$ reverse-depends -c main python3-dbus
Reverse-Depends
* hplip [amd64 arm64 armhf ppc64el s390x]
* language-selector-common
* networkd-dispatcher
* python3-aptdaemon
* python3-cupshelpers
* python3-dbus-dbg
* python3-secretstorage
* software-properties-common
* system-config-printer
* system-config-printer-common
* system-config-printer-udev [amd64 arm64 armhf ppc64el s390x]
* ubiquity-frontend-gtk [amd64 arm64 armhf ppc64el]
* ubuntu-release-upgrader-gtk
* ubuntu-system-service
* unattended-upgrades
* update-manager
* update-notifier [amd64 arm64 armhf ppc64el s390x]
* update-notifier-common
* usb-creator-common [amd64]
* usb-creator-gtk [amd64]

I suspect its unlikely that these will all migrate during the Focal timeframe so including this package into main would duplicate functionality.

[Embedded sources and static linking]
- no embedded source present
- no static linking

[Security]
- no history of CVEs
- does not use webkit1,2
- does not use lib*v8 directly
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not run a daemon as root
- does not open a port

But it has quite some security sensitive elements:
- does not parse data formats
- integrates with D-Bus
- access to all data passed in between

Will require security team review.

[Common blockers]
- does not currently FTBFS
- no translation present, but none needed
- no python2
- has autopkgtests
- lacks a team bug subscriber

[Packaging red flags]
- In sync with debian
- symbols tracking not applicable for this code.
- d/watch is present and works
- Upstream update history is good
- Limited Debian/Ubuntu history (new for focal)
- the current release is packaged
- no MOTU problem
- no Lintian warnings
- d/rules nice and clean
- not using Built-Using
- no golang package for extra considerations about that

[Upstream red flags]
- no errors during the build
- no incautious use of malloc/sprintf (N/A)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no significant open bug reports upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

I can temporarily revert to the old version of SecretStorage which used dbus-python, but this is not a long-term solution because dbus-python and libdbus are obsolete.

I can also demote python3-keyring Depends on python3-secretstorage to Suggests, but in that case we will need another default backend. There are file-based backends in python3-keyrings.alt package, but there is no GUI to ask user for a password (only getpass module). Without a password it can store passwords unencrypted, which is definitely less secure.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

python3-keyring isn't used by python-openstackclient or python-novaclient, so it can be dropped from those packages. It is still used by python-keystoneclient but it's optional, so can be carried as a Suggests, where it wonn't need to be in Ubuntu main.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've uploaded new versions of python-openstackclient, python-novaclient, and python-keystoneclient to focal to deal with the changes mentioned in comment #4.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-novaclient - 2:16.0.0-0ubuntu2

---------------
python-novaclient (2:16.0.0-0ubuntu2) focal; urgency=medium

  * d/control: Drop python3-keyring as it is no longer used (LP: #1861268).

 -- Corey Bryant <email address hidden> Tue, 04 Feb 2020 13:26:18 -0500

Changed in python-novaclient (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-keystoneclient - 1:3.22.0-0ubuntu2

---------------
python-keystoneclient (1:3.22.0-0ubuntu2) focal; urgency=medium

  * d/control: Move python3-keyring to Suggests since it is optional
    (LP: #1861268).

 -- Corey Bryant <email address hidden> Tue, 04 Feb 2020 13:40:51 -0500

Changed in python-keystoneclient (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-openstackclient - 4.0.0-0ubuntu2

---------------
python-openstackclient (4.0.0-0ubuntu2) focal; urgency=medium

  * d/control: Drop python3-keyring as it is no longer used (LP: #1861268).

 -- Corey Bryant <email address hidden> Tue, 04 Feb 2020 13:28:26 -0500

Changed in python-openstackclient (Ubuntu):
status: New → Fix Released
Revision history for this message
James Page (james-page) wrote :

Reflecting on this situation I think if we where not developing for an LTS release, having two python DBUS interfaces in main for an interim release period of 9 months might be acceptable; but we're not in that position so I'd suggest that we stick with the older python3-dbus based secretstorage for 20.04.

This means we only have a single DBUS interface to support for an LTS (5/10 years) and we give the other upstream projects a bit more time to make the switch (maybe with some nudging/recommendation).

We can review again at the start of the 20.10 development cycle to see how things have progressed.

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Ok, I will revert python-secretstorage to an older version then.

Revision history for this message
James Page (james-page) wrote :

Marking Incomplete for now and targetting to later.

Changed in jeepney (Ubuntu):
assignee: James Page (james-page) → nobody
status: New → Incomplete
milestone: none → later
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Focal is now released, and Groovy has new python-secretstorage again, so please process jeepney MIR.

Changed in jeepney (Ubuntu):
status: Incomplete → New
no longer affects: python-keystoneclient (Ubuntu)
no longer affects: python-novaclient (Ubuntu)
no longer affects: python-openstackclient (Ubuntu)
Changed in jeepney (Ubuntu):
milestone: later → none
Changed in jeepney (Ubuntu):
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

MIR team ack as discussed last cycle but needs security team review.

Changed in jeepney (Ubuntu):
status: New → Confirmed
assignee: James Page (james-page) → Ubuntu Security Team (ubuntu-security)
status: Confirmed → New
importance: Undecided → Medium
Revision history for this message
Steve Langasek (vorlon) wrote :

Marking this as affecting python-secretstorage and tagging update-excuse so it's clear why this package is stuck in -proposed.

tags: added: update-excuse
Revision history for this message
Eduardo Barretto (ebarretto) wrote : security audit

I reviewed jeepney 0.4.3-1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

jeepney is a pure Python D-Bus interface. D-Bus is an inter-process
communication system.

In its README file, jeepney maintainer mentions:
"This project is experimental, and there are a
number of more mature Python DBus bindings."

The mature options that the maintainer mention don't seem to be as
maintained as jeepney.

- No CVE History
- Build-Depends:
  - python3-all
  - python3-pytest
  - python3-sphinx
  - python3-sphinx-rtd-theme
  - python3-testpath
- prerm and postinst scripts automatically created
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - the source code comes with some tests that can be run with pytest.
  - autopkgtests are also available for this package
- No cron jobs
- Build logs:
  - No relevant errors or warnings

- Processes spawned
  - Only in test code
- No memory management
- File IO
  - Open and write a .py output file when using bindgen to auto-generate
    DBus bindings. The path argument to bindgen is actually a DBus path and
    not a filesystem path.
  - There's not much handling on the output file, you can specify a path.
  - Bindgen is a tool and not used anywhere else in the code.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files only in test code
- Use of networking
  - Use sockets to connect to DBus when using tornado, asyncio or blocking I/O.
  - Looks safe
- No use of WebKit
- No use of PolicyKit

- Coverity only found issues in javascript code from the generated documentation
- Bandit found the following issues:
  - B405: import_xml_etree - LOW
  - B314: xml.etree.ElementTree.fromstring - MEDIUM
  - B101: assert_used - LOW
  - B105: hardcoded_password_string - LOW -> false positive
  - There are plenty of other LOW issues on test code that we are not analysing
  - Those issues are low enough to allow this MIR to continue

Although the maintainer still consider it as experimental, it is a good test
to have it on a non-LTS Ubuntu as dbus-python is obsolete.
Keep in mind that jeepney has some limitations:
https://jeepney.readthedocs.io/en/latest/limitations.html

Security team ACK for promoting jeepney to main.

tags: added: security-review-done
Changed in jeepney (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

This is now done:

$ change-override -S -s groovy jeepney -c main
Override component to main
jeepney 0.4.3-1 in groovy: universe/misc -> main
jeepney-doc 0.4.3-1 in groovy amd64: universe/doc/optional/100% -> main
jeepney-doc 0.4.3-1 in groovy arm64: universe/doc/optional/100% -> main
jeepney-doc 0.4.3-1 in groovy armhf: universe/doc/optional/100% -> main
jeepney-doc 0.4.3-1 in groovy i386: universe/doc/optional/100% -> main
jeepney-doc 0.4.3-1 in groovy ppc64el: universe/doc/optional/100% -> main
jeepney-doc 0.4.3-1 in groovy riscv64: universe/doc/optional/100% -> main
jeepney-doc 0.4.3-1 in groovy s390x: universe/doc/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy amd64: universe/python/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy arm64: universe/python/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy armhf: universe/python/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy i386: universe/python/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy ppc64el: universe/python/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy riscv64: universe/python/optional/100% -> main
python3-jeepney 0.4.3-1 in groovy s390x: universe/python/optional/100% -> main
Override [y|N]? y
15 publications overridden.

Changed in jeepney (Ubuntu):
status: New → Fix Released
Changed in python-secretstorage (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers