Ubuntu
lazr.delegates package

  1. Bug #1820200
  2. Comment #1

Comment 1 for bug 1820200

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[Duplication]
No duplication for this functionality in main at the moment.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication
- processes arbitrary web content
- parse data formats
=> Therefore IMHO there is no security review needed for this.

[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilizes (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder

The last build was really long ago (in wily) which is concerning about
the rebuildability. But in a disco build today it worked, so it is fine.

Not perfect but ok:
- past updates to the package were sporadic (mostly as-is since intial packaging
- due to that the most current release is not packaged (only a minor upgrade)
- The server team already took a task to check viability to update to the newest version on pypi

[Upstream red flags]
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

There is one suspicious error on build (a syntax error):
 959 byte-compiling /<<PKGBUILDDIR>>/debian/python-lazr.delegates/usr/lib/python2.7/dist-packages/lazr/delegates/_python3.py to _python3.pyc
 960 File "/usr/lib/python2.7/dist-packages/lazr/delegates/_python3.py", line 27
 961 def delegate_to(*interfaces, context='context'):
 962 ^
 963 SyntaxError: invalid syntax

That is not critical (a bit unelegant thou).
It is a py2/py3 split that is done int __init__.py and only in the py3 case this file is included.
In py2 where this is a syntax error it does not matter as there it is never used.
For the py2 this file shouldn't be (tried to) pycompile at all, so room for improvement but nothing fatal.

[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above it will not need a security review.

Note: As the Server team has updating this on their task list already, taking a look at the syntax error mentioned above as well would be nice.