Ubuntu
mailman-suite package

[MIR] mailman-suite as dependency of mailman3

Bug #1820206 reported by Christian Ehrhardt 
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mailman-suite (Ubuntu)
In Progress
Undecided
Unassigned

Bug Description

[Availability]
The package is already universe for quite a while and build/works fine so far.
It is for example already used for https://lists.canonical.com/mailman3/postorius/lists/

This source builds only mailman3-web and that is also all we need (no py2).

[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:

Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.

This integrates mailman (core) hyperkitty (archivin) and posotrious (UI) in one place.

[Security]

No known CVEs found.
A few old issues can be found against mailman2 and one (but long fixed) for mailman 3
=> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman

[Quality assurance]

The mailman3 stacks as of now (Disco) installs fine and provides a base
config. But due to the nature of the package that needs further modification
to be of real use.

The package does ask debconf questions, but only as high as medium.

There are a few (2) very low severity bugs in Ubuntu and some package improvement sugegstion bugs in Debian.
Nothing to stop this from being considered ok.

There are regular upstream releases and Debian packaging it.

No exotic HW involved.

No build time tests, but this is mostly an integrator package.
Tests are runnign as dep8 tests in django-mailman3, mailman3, mailman-hyperkitty, mailman3-core and mailmanclient.

d/watch is set up and ok.

No Lintian warning except fairly recent newer Standards version.

The package does not rely on demoted or obsolete packages.

[UI standards]

Comes with 7 translations in .po files
No End-user applications that needs a standard conformant desktop file.

[Dependencies]

Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.

[Standards compliance]
The package meets the FHS and Debian Policy standards.
The packaging itself is very straight forward and uses dh_* as much as possible - the d/rules fits on one screen.

[Maintenance]

The Server team will subscribe for the package for maintenance

[Background]
The package description explains the general purpose and context of the package well.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[Duplication]
This is part of the six core packages of mailman3 that pull in further components as needed.
Since this represents mailman doing mailing list processing there is a duplication to mailman2.
But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE/Security history for this package.
But there is enough for mailman2 (and a bit for 3) that we should expect not (much) less in the future when it becomes more widely used.
=> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman

It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- processes arbitrary web content
- parse data formats

This is the overarching element that pulls together Mailman3 Postorius HyperKitty and UWSGI to provide the mailman3 services on the web.
It actually doesn't do anything on its own, but depends on the right packages and provides a WSGI config for hyperkitty.
It also contains all the default settings for those, therefore I'll mark it for security review as well.
Less for the package itself, but for its role in regard to the other more exposed components.

[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- No tests for itself, but this is mostly integrating other components which are all having autopkgtests as reverse deps

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder

[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is recommended.
Assigning the security Team.

Changed in mailman-suite (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

I reviewed mailman-suite 0+20180916-7 as checked in to eoan. This isn't a full security audit, but rather a quick gauge of maintainability.

- mailman-suite is a Django web application which provides the Mailman3 Postorius web interface and the HyperKitty mailinglist archiver. The package provides a uWSGI configuration and stub, associated systemd service file, and Django settings.
- There are no CVEs in our database.
- Build-Depends: debhelper, po-debconf
- Depends: dbconfig-sqlite3 | dbconfig-pgsql | dbconfig-mysql | dbconfig-no-thanks, lsb-base, node-less, python3, python3-django-hyperkitty, python3-django-postorius, python3-psycopg2 | python3-mysqldb, python3-whoosh, ruby-sass, ucf, uwsgi, uwsgi-plugin-python3
- Recommends: libapache2-mod-proxy-uwsgi | nginx
 - All dependencies satisfied from main, except for:
  - node-less (bug 1820201)
  - python3-django-hyperkitty (bug 1820196)
  - python3-django-postorius (bug 1820210)
  - python3-whoosh (bug 1820224)
  - ruby-sass (no bug)
  - uwsgi, uwsgi-plugin-python3 (bug 1820227)
- The upstream project doesn't see a lot of activity, although that's expected given that it's very small. There have been commits to the upstream gitlab project within the last month.
- All code is written in Python
- The package doesn't appear to have a direct dependency on python-django, despite shipping python code that directly imports its modules.

- There are no compiled binaries.
- The package is lintian clean.
- As nothing is compiled in the build, there are no compiler warnings or errors.
- Some directories are installed owned by list:list or www-data:www-data.
- Ships a logrotate config for /var/log/mailman3/web/mailman-web.log which configures a daily rotation and specifies a rotate count of 5.
- No DBus services.
- No setuid binaries.
- No FS capabilities.
- Does not call any privileged commands.
- No sudo fragments.
- No udev rules.
- Installs a cron job that runs django-admin.py at various intervals (minutely, every 15 minutes, hourly, daily, weekly, monthly, yearly).
- Provides a systemd service that runs the mailman3-web uWSGI service - initially as root, but it drops privileges and eventually runs as www-data.

- Doesn't spawn subprocesses.
- Doesn't open any files.
- Doesn't make use of any logging.
- Doesn't read anything from the environment.
- No privileged code.
- No networking.
- No cryptography.
- No sql.
- Doesn't use temporary files, except during package configure (the postinst script uses the tempfile command)
- No webkit.

- The amount of actual python code is very small - basically wsgi.py and manage.py, which are just stubs that call in to Django code with the mailman-suite Django settings (settings.py).
- The package ships a template Django settings file, and generates a local one with some saner defaults (such as unique values for SECRET_KEY and MAILMAN_ARCHIVER_KEY generated from /dev/urandom) when the package is configured.

Security team ACK for promoting mailman-suite to main, once its dependencies have been approved. Note that I couldn't find a MIR bug for ruby-sass.

Changed in mailman-suite (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I answered on IRC that the dependency to ruby-sass is planned to be dropped.
Therefore mailman-suite itself is complete as well, thanks for the review.

Christian Ehrhardt  (paelzer)
Changed in mailman-suite (Ubuntu):
status: New → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After evaluating dependencies, required further changes and mostly maintainability for security and packaging it was decided there are too many concerns - not about any single package in particular, but the overall Mailman3 stack - about the ability to maintain and monitor it as well as we need it for support in main.

We have closed the primary LP bug already, the MIRs that are already approved - like this one - will stay that way, but we will make no seed change to pull things in for now. Yet if other needs come up for those they have a prepared MIR already.
Other bugs which are not yet completed in terms of review will be closed as Won't Fix.

Even thou it ended being aborted, I think that is a valid outcome of the MIR evaluations. Never the less I want to thank everybody involved for all the work spent in what was nearly a year working through these MIRs.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.