I reviewed jeepney 0.4.3-1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
jeepney is a pure Python D-Bus interface. D-Bus is an inter-process
communication system.
In its README file, jeepney maintainer mentions:
"This project is experimental, and there are a
number of more mature Python DBus bindings."
The mature options that the maintainer mention don't seem to be as
maintained as jeepney.
- No CVE History
- Build-Depends:
- python3-all
- python3-pytest
- python3-sphinx
- python3-sphinx-rtd-theme
- python3-testpath
- prerm and postinst scripts automatically created
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- the source code comes with some tests that can be run with pytest.
- autopkgtests are also available for this package
- No cron jobs
- Build logs:
- No relevant errors or warnings
- Processes spawned
- Only in test code
- No memory management
- File IO
- Open and write a .py output file when using bindgen to auto-generate
DBus bindings. The path argument to bindgen is actually a DBus path and
not a filesystem path.
- There's not much handling on the output file, you can specify a path.
- Bindgen is a tool and not used anywhere else in the code.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files only in test code
- Use of networking
- Use sockets to connect to DBus when using tornado, asyncio or blocking I/O.
- Looks safe
- No use of WebKit
- No use of PolicyKit
- Coverity only found issues in javascript code from the generated documentation
- Bandit found the following issues:
- B405: import_xml_etree - LOW
- B314: xml.etree.ElementTree.fromstring - MEDIUM
- B101: assert_used - LOW
- B105: hardcoded_password_string - LOW -> false positive
- There are plenty of other LOW issues on test code that we are not analysing
- Those issues are low enough to allow this MIR to continue
Although the maintainer still consider it as experimental, it is a good test
to have it on a non-LTS Ubuntu as dbus-python is obsolete.
Keep in mind that jeepney has some limitations: https://jeepney.readthedocs.io/en/latest/limitations.html
I reviewed jeepney 0.4.3-1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
jeepney is a pure Python D-Bus interface. D-Bus is an inter-process
communication system.
In its README file, jeepney maintainer mentions:
"This project is experimental, and there are a
number of more mature Python DBus bindings."
The mature options that the maintainer mention don't seem to be as
maintained as jeepney.
- No CVE History sphinx- rtd-theme
- Build-Depends:
- python3-all
- python3-pytest
- python3-sphinx
- python3-
- python3-testpath
- prerm and postinst scripts automatically created
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- the source code comes with some tests that can be run with pytest.
- autopkgtests are also available for this package
- No cron jobs
- Build logs:
- No relevant errors or warnings
- Processes spawned
- Only in test code
- No memory management
- File IO
- Open and write a .py output file when using bindgen to auto-generate
DBus bindings. The path argument to bindgen is actually a DBus path and
not a filesystem path.
- There's not much handling on the output file, you can specify a path.
- Bindgen is a tool and not used anywhere else in the code.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files only in test code
- Use of networking
- Use sockets to connect to DBus when using tornado, asyncio or blocking I/O.
- Looks safe
- No use of WebKit
- No use of PolicyKit
- Coverity only found issues in javascript code from the generated documentation ElementTree. fromstring - MEDIUM password_ string - LOW -> false positive
- Bandit found the following issues:
- B405: import_xml_etree - LOW
- B314: xml.etree.
- B101: assert_used - LOW
- B105: hardcoded_
- There are plenty of other LOW issues on test code that we are not analysing
- Those issues are low enough to allow this MIR to continue
Although the maintainer still consider it as experimental, it is a good test /jeepney. readthedocs. io/en/latest/ limitations. html
to have it on a non-LTS Ubuntu as dbus-python is obsolete.
Keep in mind that jeepney has some limitations:
https:/
Security team ACK for promoting jeepney to main.