[MIR] msgpack-python

This seems fine from a packaging/maintainability POV. Thanks for the bug subscriber and test patch. Could you throw the test patch over to Debian?

However, since this is a binary format parser (a custom format no less), this should get a quick security audit.

I reviewed msgpack-python version 0.3.0-0ubuntu1 as checked into
saucy. This shouldn't be considered a full security audit, but rather
a quick gauge of code quality.

- msgpack-python provides a binary-encoding interchange format optimized
  to save bytes compared to more verbose encoding formats (small integers
  may be encoded in a single byte if their range fits).
- Build-depends cython, usual Python, python-six, python-nose,
  python-pytest
- Does not itself use cryptography
- Does not itself use networking
- No daemons, no sockets, no init scripts, no dbus services, no setuid
  programs, no binaries, no sudo fragments
- Good test suite checks many boundary conditions of the binary format
- No cron jobs
- Since much of the compiled source is automatically generated, there's
  more warnings than would be ideal (especially signed / unsigned
  comparisons, often a rife source of bugs), but I did not spot any
  problems at the warning sites
- No subprocesses are spawned
- Memory allocation is aimed for speed of processing, default starts with
  allocating a megabyte for buffer use, and without constraints can grow
  to consume all memory available to the process. The authors recommend
  constraining the memory allocations when handling untrusted input.
- Only file operations are through Python duck-typing
- No environment variables
- No logging
- No privileged portions of code
- No cryptography
- No webkit

This code has more than the usual amount of commented-out sections,
more than the usual amount of TODO and FIXME comments, and far more C
pre-processor tricks than the usual program. This protocol was designed
to save bytes where it could and the end result, at least in the Python
implementation, is an extremely complicated parser.

This tool would not be my first choice of API -- or protocol. Python
Thrift feels more mature and the simplicity of its protocol feels far
preferable to me than the huge diversity of types msgpack-python supports
in effort to squeeze every byte.

However, that said, I did not spot any security problems, and the test
suite would give me confidence that any patches we may need have been
written correctly.

Security team ACK for main.

Thanks, Seth!

Override component to main
msgpack-python 0.3.0-0ubuntu1 in saucy: universe/python -> main
msgpack-python 0.3.0-0ubuntu1 in saucy amd64: universe/python/optional/100% -> main
msgpack-python 0.3.0-0ubuntu1 in saucy armhf: universe/python/optional/100% -> main
msgpack-python 0.3.0-0ubuntu1 in saucy i386: universe/python/optional/100% -> main
msgpack-python 0.3.0-0ubuntu1 in saucy powerpc: universe/python/optional/100% -> main
5 publications overridden.