MIR for paste.

Bug #493593 reported by Chuck Short on 2009-12-07
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
paste (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
python-formencode (Ubuntu)
High
Chuck Short
Lucid
High
Chuck Short
scgi (Ubuntu)
High
Unassigned
Lucid
High
Unassigned

Bug Description

Hi,

I would like to include paste in main, its a build dependency of python-pastescript. The MIR can be found at:

https://wiki.ubuntu.com/MIRPaste

if you have any questions please let me know.

Regards
chuck

CVE References

Martin Pitt (pitti) on 2009-12-10
Changed in paste (Ubuntu):
assignee: nobody → Matthias Klose (doko)
Matthias Klose (doko) wrote :

looks fine for me

Changed in paste (Ubuntu):
status: New → In Progress
Martin Pitt (pitti) wrote :

promoted

Changed in paste (Ubuntu):
assignee: Matthias Klose (doko) → nobody
status: In Progress → Fix Released
Steve Langasek (vorlon) wrote :

python-paste depends on python-formencode, which is in universe. This also needs an MIR for lucid.

Changed in python-formencode (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-1
assignee: nobody → Chuck Short (zulcss)
importance: Undecided → Medium
importance: Medium → High
Steve Langasek (vorlon) wrote :

And python-paste also recommends python-scgi.

Changed in scgi (Ubuntu Lucid):
assignee: nobody → Chuck Short (zulcss)
importance: Undecided → High
milestone: none → ubuntu-10.04-beta-1
Steve Langasek (vorlon) wrote :

The paste package ships on the beta-1 CD but is not installable. This needs resolving for beta2.

Changed in python-formencode (Ubuntu Lucid):
milestone: ubuntu-10.04-beta-1 → ubuntu-10.04-beta-2
Steve Langasek (vorlon) on 2010-03-19
Changed in scgi (Ubuntu Lucid):
milestone: ubuntu-10.04-beta-1 → ubuntu-10.04-beta-2
Chuck Short (zulcss) wrote :

MIR for python-formencode:

* Availablity: Available for all architectures
* Rationale: So paste is installable again
* Security: CVE-2008-6547 which has been fixed for lucid.
* Dependencies: debhelper, python-all-dev, python, python-support, python-setuptools,
 python-pkg-resources, python-elementtree (all in main)
* QA: No Debian Bugs open, No Ubuntu bugs open.
* Standards Compliant.
* Relatively easy to maintain.

Chuck Short (zulcss) wrote :

MIR for python-formencode:

* Availablity: Available for all architectures
* Rationale: So paste is installable again
* Security: CVE-2008-6547 which has been fixed for lucid.
* Dependencies: debhelper, python-all-dev, python, python-support, python-setuptools,
 python-pkg-resources, python-elementtree (all in main)
* QA: No Debian Bugs open, No Ubuntu bugs open.
* Standards Compliant.
* Relatively easy to maintain.

MIR for scgi:

* Availabliity: Available for all architectures
* Rationale: So paste is installable again in main
* Security: NO CVE history
* Dependencies: debhelper, python-support, python-all-dev, apache2-threaded-dev, quilt, apache2.2-common,
   (all in main)
* QA: No Debian bugs open, No Ubuntu bugs open. Debian maintenance is really calm.
* Standads Compliant.

Scott Kitterman (kitterman) wrote :

The impact of dropping python-dns from python-formencode depends should actually be understood before the MIR for python-formencode is approved:

[09:39:57] <ScottK> ttx: It ought to at least build and dropping python-dns from depends with no rationale is just wrong.
[09:40:19] <ScottK> POX: Thanks.
[09:40:26] <POX> python-dns is probably removed as it's not in main
[09:40:28] <zul> i just uploaded the FTBFS fix
[09:40:43] <ttx> I'm trying to avoid duplicating work :)
[09:40:49] <zul> and removed python-dns as well
[09:40:53] <ScottK> POX: Yes, but we aren't supposed to just drop depends willy nilly.
[09:40:56] <ScottK> zul: Why?
[09:41:08] <zul> because its not in main
[09:41:18] <ScottK> zul: That's not a proper rationale.
[09:41:26] <zul> and the testsuite ran fine without it
[09:41:42] <ScottK> And so that means there's no impact?
[09:41:58] <zul> didnt appear to any to me

Thierry Carrez (ttx) wrote :

I agree. python-dns is optionally used if you specifically set resolve_domain=True. The rdepends should be checked to see if they make use of that option. If they don't, then Suggesting python-dns would be the correct solution. If some of them do, they could be made to depend on python-dns (and python-dns kept as a suggests). If all do, then have python-formencode depend on python-dns is probably the right thing to do.

Martin Pitt (pitti) wrote :

Flipping formencode to incomplete until that question is resolved.

Changed in python-formencode (Ubuntu Lucid):
status: New → Incomplete
Martin Pitt (pitti) wrote :

Kees, can you please take a look at scgi MIR? Thanks!

Changed in scgi (Ubuntu Lucid):
assignee: Chuck Short (zulcss) → Kees Cook (kees)
Kees Cook (kees) wrote :

scgi: +1 the code looks pretty defensive and seems to handle its fds correctly

Changed in scgi (Ubuntu Lucid):
status: New → In Progress
assignee: Kees Cook (kees) → nobody
Martin Pitt (pitti) wrote :

scgi promoted.

Changed in scgi (Ubuntu Lucid):
status: In Progress → Fix Released
Chuck Short (zulcss) wrote :

I checked the rdepends for python-formencode and none of them use resolve_domain=True so the Suggest is ok, the MIR should continue.

Regards
chuck

Martin Pitt (pitti) wrote :

python-formencode looks okay, promoted.

Changed in python-formencode (Ubuntu Lucid):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers