Availability:
The package must already be in the Ubuntu universe, and must build for the architectures it is designed to work on.
- package is in universe: https://launchpad.net/ubuntu/+source/python-maxminddb
- package builds for amd64, arm64, armhf, ppc64el, s390x (i386 was dropped in the last upload, unknown at the moment if it has to be re-enabled for i386)
* check OSS security mailing list (feed 'site:www.openwall.com/lists/oss-security <pkgname>' into search engine)
- "site:www.openwall.com/lists/oss-security maxminddb": no results
- "site:www.openwall.com/lists/oss-security maxmind": one hit:
- https://www.openwall.com/lists/oss-security/2011/05/20/4
- related to CVE-2007-0159 which was about the geoip1 C API
- "site:www.openwall.com/lists/oss-security python-maxminddb": no results
- "site:www.openwall.com/lists/oss-security python-maxmind": just ads as results
- "site:www.openwall.com/lists/oss-security MaxMind-DB-Reader-python": no results
- "site:www.openwall.com/lists/oss-security geoip2": no results
* Check for security relevant binaries. If any are present, this requires a more in-depth security review.
- the source package builds two binary packages: python3-maxminddb and python-maxminddb-doc The following is about these two binary packages.
* Executables which have the suid or sgid bit set.
- none
* Executables in /sbin, /usr/sbin.
- none (since it's a python module and its documentation, there are no executables)
* Packages which install services / daemons (/etc/init.d/*, /etc/init/*, /lib/systemd/system/*)
- no services
* Packages which open privileged ports (ports < 1024).
- none
* Add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc)
- being a python module, it is meant to be used by other software. The current list of reverse-depends contains just one package and that is python3-geoip2 (src:python-geoip2). That package in turn is a dependency of "sopel", an IRC bot (according to its description).
Quality assurance:
* After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading.
- python module is readily importable after installation
* The package must not ask debconf questions higher than medium if it is going to be installed by default. The debconf questions must have reasonable defaults.
- no debconf questions
* The package is maintained well in Debian/Ubuntu (check out the Debian PTS)
- https://tracker.debian.org/pkg/python-maxminddb
- note about new upstream version available (1.5.2), released in December 2019 (we are in sync with debian at 1.4.1, which is currently the most recent 1.4.x release)
- debian vcs has a few commits that weren't uploaded yet, not serious
- the doc package, being arch all, could have a multiarch hint/fix
- outdated standards version, but not by that much (4.4.0 vs 4.5.0)
* The package should not deal with exotic hardware which we cannot support.
- no exotic hardware involved
* If the package ships a test suite, and there is no obvious reason why it cannot work during build (e. g. it needs root privileges or network access), it should be run during package build, and a failing test suite should fail the build.
- currently 171 tests are run at build time.
* The package uses a debian/watch file whenever possible. In cases where this is not possible (e. g. native packages), the package should either provide a debian/README.source file or a debian/watch file (with comments only) providing clear instructions on how to generate the source tar file.
- a workingd/watch file is shipped:
$ uscan
uscan: Newest version of python-maxminddb on remote site is 1.5.2, local version is 1.4.1
uscan: => Newer package available from https://pypi.debian.net/maxminddb/maxminddb-1.5.2.tar.gz
Successfully symlinked ../maxminddb-1.5.2.tar.gz to ../python-maxminddb_1.5.2.orig.tar.gz.
* The package should not rely on obsolete or about to be demoted packages. That currently includes package dependencies on Python2 (without providing Python3 packages), and packages depending on GTK2.
- no python2 package is produced, just python3
UI standards:
- not applicable
Dependencies:
* All binary dependencies (including Recommends:) must be satisfiable in main (i. e. the preferred alternative must be in main). If not, these dependencies need a separate MIR report (this can be a separate bug or another task on the main MIR bug)
"""
$ check-mir
Checking support status of build dependencies...
* debhelper-compat does not exist (pure virtual?)
* dh-python binary and source package is in universe
* python3-nose binary and source package is in universe
* python3-mock binary and source package is in universe
* python3-sphinx is in universe, but its source sphinx is already in main; file an ubuntu-archive bug for promoting the current preferred alternative
* libmaxminddb-dev binary and source package is in universe
Checking support status of binary dependencies...
"""
- debhelper and dh-python ok
- python3 nose and mock are used for the test run at build time
- python3-sphinx is used to build docs
- libmaxminddb-dev comes from src:libmaxminddb with MIR at https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101 and conditionally approved in https://bugs.launchpad.net/ubuntu/+source/libmaxminddb/+bug/1861101/comments/5
- runtime deps:
$ dpkg -s python3-maxminddb | grep Depends
Depends: python3 (<< 3.9), python3 (>= 3.8~), python3:any, libc6 (>= 2.4), libmaxminddb0 (>= 1.0.2)
- there are no Recommends
Standards compliance
* The package should meet the FHS and Debian Policy standards. Major violations should be documented and justified. Also, the source packaging should be reasonably easy to understand and maintain.
- I did not identify important violations
Maintenance:
* All packages must have a designated "owning" team, regardless of complexity, which is set as a package bug contact.
- the server team shall own this package
- this is a simple python module
- d/rules uses debhelper and is simple
- d/* has a simple structure
Background information:
- package description is good
python-maxminddb MIR request
Availability: /launchpad. net/ubuntu/ +source/ python- maxminddb
The package must already be in the Ubuntu universe, and must build for the architectures it is designed to work on.
- package is in universe: https:/
- package builds for amd64, arm64, armhf, ppc64el, s390x (i386 was dropped in the last upload, unknown at the moment if it has to be re-enabled for i386)
Rationale: /bugs.launchpad .net/ubuntu/ +source/ libmaxminddb/ +bug/1861101/ comments/ 17 for the application, and https:/ /bugs.launchpad .net/ubuntu/ +source/ python- geoip2/ +bug/1861101/ comments/ 19 for the ACK
The package is a dependency of python-geoip2 which is to be promoted to main via MIR bug #1861101. See https:/
In general, we are demoting python-geoip (the legacy GeoIP1 support) and want to replace it with geoip2. The unseeding of python-geoip already happened in https:/ /code.launchpad .net/~ahasenack /ubuntu- seeds/+ git/ubuntu/ +merge/ 380547/
Security /github. com/maxmind/ MaxMind- DB-Reader- python/ security/ advisories
- zero advisories at https:/
* http:// cve.mitre. org/cve/ search_ cve_list. html /cve.mitre. org/cgi- bin/cvekey. cgi?keyword= maxmind returned a hit for a javascript implementation DB-Reader- python (the upstream name): no hits
- https:/
- geoip2, maxminddb, python-maxminddb, MaxMind-
* check OSS security mailing list (feed 'site:www. openwall. com/lists/ oss-security <pkgname>' into search engine) openwall. com/lists/ oss-security maxminddb": no results openwall. com/lists/ oss-security maxmind": one hit: /www.openwall. com/lists/ oss-security/ 2011/05/ 20/4 openwall. com/lists/ oss-security python-maxminddb": no results openwall. com/lists/ oss-security python-maxmind": just ads as results openwall. com/lists/ oss-security MaxMind- DB-Reader- python" : no results openwall. com/lists/ oss-security geoip2": no results
- "site:www.
- "site:www.
- https:/
- related to CVE-2007-0159 which was about the geoip1 C API
- "site:www.
- "site:www.
- "site:www.
- "site:www.
* Ubuntu CVE Tracker people. ubuntu. com/~ubuntu- security/ cve/main. html
* http://
- no hits for maxminddb, geoip2, geoip, maxmind
* http:// people. ubuntu. com/~ubuntu- security/ cve/universe. html
- no hits for maxminddb, maxmind, geoip, geoip2
* http:// people. ubuntu. com/~ubuntu- security/ cve/partner. html
- has no packages or CVEs at all
* Check for security relevant binaries. If any are present, this requires a more in-depth security review. maxminddb- doc The following is about these two binary packages.
- the source package builds two binary packages: python3-maxminddb and python-
* Executables which have the suid or sgid bit set.
- none
* Executables in /sbin, /usr/sbin.
- none (since it's a python module and its documentation, there are no executables)
* Packages which install services / daemons (/etc/init.d/*, /etc/init/*, /lib/systemd/ system/ *)
- no services
* Packages which open privileged ports (ports < 1024).
- none
* Add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc) geoip2) . That package in turn is a dependency of "sopel", an IRC bot (according to its description).
- being a python module, it is meant to be used by other software. The current list of reverse-depends contains just one package and that is python3-geoip2 (src:python-
Quality assurance:
* After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading.
- python module is readily importable after installation
* The package must not ask debconf questions higher than medium if it is going to be installed by default. The debconf questions must have reasonable defaults.
- no debconf questions
* There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package. /github. com/maxmind/ MaxMind- DB-Reader- python/ issues. Both open bugs are tagged with "enhancement" and are many years old /bugs.debian. org/cgi- bin/pkgreport. cgi?dist= unstable; package= python- maxminddb)
- upstream bugs: 2 open, 17 closed: https:/
- ubuntu bugs: none other than the MIR
- debian bugs: none (https:/
* The package is maintained well in Debian/Ubuntu (check out the Debian PTS) /tracker. debian. org/pkg/ python- maxminddb
- https:/
- note about new upstream version available (1.5.2), released in December 2019 (we are in sync with debian at 1.4.1, which is currently the most recent 1.4.x release)
- debian vcs has a few commits that weren't uploaded yet, not serious
- the doc package, being arch all, could have a multiarch hint/fix
- outdated standards version, but not by that much (4.4.0 vs 4.5.0)
* The package should not deal with exotic hardware which we cannot support.
- no exotic hardware involved
* If the package ships a test suite, and there is no obvious reason why it cannot work during build (e. g. it needs root privileges or network access), it should be run during package build, and a failing test suite should fail the build.
- currently 171 tests are run at build time.
* The package uses a debian/watch file whenever possible. In cases where this is not possible (e. g. native packages), the package should either provide a debian/ README. source file or a debian/watch file (with comments only) providing clear instructions on how to generate the source tar file. /pypi.debian. net/maxminddb/ maxminddb- 1.5.2.tar. gz 1.5.2.tar. gz to ../python- maxminddb_ 1.5.2.orig. tar.gz.
- a workingd/watch file is shipped:
$ uscan
uscan: Newest version of python-maxminddb on remote site is 1.5.2, local version is 1.4.1
uscan: => Newer package available from
https:/
Successfully symlinked ../maxminddb-
* It is often useful to run lintian --pedantic on the package to spot the most common packaging issues in advance date-standards- version 4.4.0 (released 2019-07-07) (current is 4.5.0) copyright- format- uri http:// www.debian. org/doc/ packaging- manuals/ copyright- format/ 1.0/ does-not- install- examples examples/ root-missing /salsa. debian. org/debian/ python- maxminddb/ -/commit/ f94b9331c12093b 12ea9dfa781dc4e 566ec54963: ship examples /salsa. debian. org/debian/ python- maxminddb/ -/commit/ 4bb24ff8c21d539 eb0112f13315556 577ec3c7b8: copyright URI
$ lintian -I --pedantic
I: python-maxminddb source: out-of-
P: python-maxminddb source: insecure-
P: python-maxminddb source: package-
P: python-maxminddb source: rules-requires-
- examples and insecure-copyright url are fixed in salsa:
- https:/
- https:/
* The package should not rely on obsolete or about to be demoted packages. That currently includes package dependencies on Python2 (without providing Python3 packages), and packages depending on GTK2.
- no python2 package is produced, just python3
UI standards:
- not applicable
Dependencies:
* All binary dependencies (including Recommends:) must be satisfiable in main (i. e. the preferred alternative must be in main). If not, these dependencies need a separate MIR report (this can be a separate bug or another task on the main MIR bug)
"""
$ check-mir
Checking support status of build dependencies...
* debhelper-compat does not exist (pure virtual?)
* dh-python binary and source package is in universe
* python3-nose binary and source package is in universe
* python3-mock binary and source package is in universe
* python3-sphinx is in universe, but its source sphinx is already in main; file an ubuntu-archive bug for promoting the current preferred alternative
* libmaxminddb-dev binary and source package is in universe
Checking support status of binary dependencies... /bugs.launchpad .net/ubuntu/ +source/ libmaxminddb/ +bug/1861101 and conditionally approved in https:/ /bugs.launchpad .net/ubuntu/ +source/ libmaxminddb/ +bug/1861101/ comments/ 5
"""
- debhelper and dh-python ok
- python3 nose and mock are used for the test run at build time
- python3-sphinx is used to build docs
- libmaxminddb-dev comes from src:libmaxminddb with MIR at https:/
- runtime deps:
$ dpkg -s python3-maxminddb | grep Depends
Depends: python3 (<< 3.9), python3 (>= 3.8~), python3:any, libc6 (>= 2.4), libmaxminddb0 (>= 1.0.2)
- there are no Recommends
Standards compliance
* The package should meet the FHS and Debian Policy standards. Major violations should be documented and justified. Also, the source packaging should be reasonably easy to understand and maintain.
- I did not identify important violations
Maintenance:
* All packages must have a designated "owning" team, regardless of complexity, which is set as a package bug contact.
- the server team shall own this package
- this is a simple python module
- d/rules uses debhelper and is simple
- d/* has a simple structure
Background information:
- package description is good