[MIR] parallax, dependency of crmsh
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| parallax (Ubuntu) |
Undecided
|
Unassigned |
Bug Description
[Availability]
In universe; Architecture: all.
[Rationale]
Dependency for crmsh, part of our HA stack. parallax is needed for commands like 'crm cluster health' to work.
[Security]
No security history. It looks like parallax wraps the openssh client, so I don't think it is particularly security sensitive. It might be worth asking the security team to decline a security review anyway though.
[Quality assurance]
parallax is a Python API wrapper for ssh; users don't use it directly. Both Python 2 and Python 3 modules are shipped. No debconf questions. No open bugs in Debian, Ubuntu or upstream. No sign of any non-maintenance in Debian (just few upstream releases). No relation to exotic hardware.
Packaging does arrange for some tests to run automatically on build. It misses the one test that does exist. However, that test requires an ssh-able host, and we have no mechanism to set that up currently. Nesting an lxd container inside the autopkgtest environment might be something we could do, but it'd be Ubuntu only (no lxd Debian in yet; still at ITP stage in Debian bug 768073). I'm not sure we've done this thing before, or to what extent our autopkgtest infrastructure will work for this. Please let me know if you think it's needed.
debian/watch file connects to PyPI as expected.
[UI standards]
parallax provides an API only, so N/A.
[Dependencies]
None, except for Python. It should depend on openssh-client. I filed http://
[Standards compliance]
Appears FHS compliant (trivial; it's a Python module built using dh-python). lintian clean except for debian-
[Maintenance]
~ubuntu-server has subscribed to this package. I think this also falls under "simple packages" from the MIR requirements.
[Background information]
ssh support used to be provided via the pssh package in crmsh before 2.2. Since 2.2, it has been provided via the python-parallax instead. The upstream change for this was https:/
Historically, crmsh never provided any of depends, recommends, suggests against pssh nor against python-parallax. pssh has always been in universe, as is python-parallax.
According to https:/
I don't think it'd be a regression upon what was already published to not depend on python-parallax, since "crm cluster health" would still have needed pssh previously (AFAICT). But we want "crm cluster health" to work, hence this MIR.
Changed in parallax (Ubuntu): | |
assignee: | nobody → Ubuntu Server Team (ubuntu-server) |
description: | updated |
Jon Grimm (jgrimm) wrote : | #1 |
description: | updated |
Changed in parallax (Ubuntu): | |
status: | Incomplete → New |
description: | updated |
description: | updated |
Michael Terry (mterry) wrote : | #2 |
Passing to security team like you said, just to verify that this actually doesn't need a pass. Better safe than sorry.
Changed in parallax (Ubuntu): | |
assignee: | Ubuntu Server Team (ubuntu-server) → Ubuntu Security Team (ubuntu-security) |
Seth Arnold (seth-arnold) wrote : | #3 |
I reviewed parallax version 1.0.1-3 as checked into artful; this should
not be considered a full security audit but rather a quick gauge of
maintainability.
- No CVEs in our CVE database
- Parallax provides an API for multiple ssh use: executing commands on
multiple hosts, copying files to and from multiple hosts.
- Build-Depends: debhelper, dh-python, python-all, python3-all
- Does not daemonize
- auto-generated python postinst scripts
- No initscripts
- No systemd unit files
- No dbus services
- No setuids
- No binaries in the path
- No sudo fragments
- No udev rules
- There's a file with tests but nothing run during the build; it feels
like it would be hard to test
- No cron jobs
- Clean build logs
- Subprocesses are spawned as the whole point of the package; safe array
mechanism for parameters, manages close-on-exec for its own
filedescriptors
- Files are written to as part of stdout/stderr handling, seemed safe
- Uses PARALLAX_
variables, seemed safe
- Does not itself do networking or cryptography
- No privileged portions of code
- No temporary files
- No webkit
- No js
- No policykit
Parallax seemed straight-forward enough. Like many python programs actual
error results are sometimes discarded before giving the user a generic
error message. This is annoying but not really unique to parallax.
I didn't investigate if there's any cross-machine attacks possible --
TIOCSTI for example is a way for a terminal-driven program to drive the
terminal. I would love to hear feedback from someone about this.
Here's some notes I took when reviewing parallax in the hopes that they
are useful to someone:
- read_host_file() strips each line twice, once when reading, once when
parsing
- askpass_main() misleading error text "Couldn't bind to %s:" but the
failed call is sock.connect(
about errors in this function is discarded entirely rather than being
presented to the user.
Security team ACK for promoting parallax to main.
Thanks
Changed in parallax (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
Matthias Klose (doko) wrote : | #4 |
Override component to main
parallax 1.0.1-3 in artful: universe/misc -> main
python-parallax 1.0.1-3 in artful amd64: universe/
python-parallax 1.0.1-3 in artful arm64: universe/
python-parallax 1.0.1-3 in artful armhf: universe/
python-parallax 1.0.1-3 in artful i386: universe/
python-parallax 1.0.1-3 in artful ppc64el: universe/
python-parallax 1.0.1-3 in artful s390x: universe/
python3-parallax 1.0.1-3 in artful amd64: universe/
python3-parallax 1.0.1-3 in artful arm64: universe/
python3-parallax 1.0.1-3 in artful armhf: universe/
python3-parallax 1.0.1-3 in artful i386: universe/
python3-parallax 1.0.1-3 in artful ppc64el: universe/
python3-parallax 1.0.1-3 in artful s390x: universe/
13 publications overridden.
Changed in parallax (Ubuntu): | |
status: | New → Fix Released |
+1 for server team maintenance. I've subscribed Ubuntu Server correspondingly.