[MIR] py-macaroon-bakery, protobuf, pyrfc3339

Bug #1747460 reported by Andres Rodriguez on 2018-02-05
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
protobuf (Ubuntu)
Undecided
Unassigned
py-macaroon-bakery (Ubuntu)
Undecided
Mathieu Trudel-Lapierre
pyrfc3339 (Ubuntu)
Undecided
Mathieu Trudel-Lapierre
python-nacl (Ubuntu)
High
Unassigned

Bug Description

py-macaroon-bakery
==================

1. Availability: all

2. Rationale:
Macaroons is a new form of authorization mechanism. The macaroon bakery builds on pymacaroons, which allows it working at a higher level.

In order for MAAS (and other projects) to support macaroon based authentication, this needs to be in main. This will allow projects to support remote/centralized authentication based on macaroons.

3. Security:
No CVE's

4. QA:
0 bugs in debian/ubuntu

5. UI standards:
None

6. Dependencies:

Dependencies in universe:
 - python3-pymacaroons (MIR LP: #1746772)
 - python3-nacl
 - python3-protobuf
 - python3-rfc3339

7. Standards:
No lintian errors.

Packaged with debhelper. Source format is 3.0 (quilt)

Standards version: 4.4.1

8. Maintenance:
Easy.

9. Background information:
This is a required dependency to implement third party/centralized authentication alongside with pymacaroons. This is a new dependency that's required by MAAS.

python3-protobuf
==================

1. Availability: any

2. Rationale:
Dependency of python3-macaroonbakery. The library from this same source package, libprotobuf10, is already in main.

3. Security:
No CVE's

4. QA:
protobuf source, 10 bugs in debian, 11 ubuntu

5. UI standards:
None

6. Dependencies:
All in main

7. Standards:
No lintian errors.

Packaged with debhelper. Source format is 3.0 (quilt)

Standards version: 3.9.8

8. Maintenance:
Easy.

9. Background information:
protobuf source already has binaries in main. This is just the python bindings that are required by macaroonbakery.

rfc3339
==================

1. Availability: all

2. Rationale:
Dependency of python3-macaroonbakery.

3. Security:
No CVE's

4. QA:
0 bugs in debian/ubuntu

5. UI standards:
None

6. Dependencies:
All in main

7. Standards:
No lintian errors. 1 warning:
W: pyrfc3339 source: ancient-standards-version 3.9.6 (released 2014-09-17) (current is 4.1.3)

Packaged with debhelper. Source format is 3.0 (quilt)

8. Maintenance:
Easy.

9. Background information:
Parser and generator of RFC 3339-compliant timestamps. This is a dependency for python3-macaroonbakery.

python-nacl
==================

1. Availability: any

2. Rationale:
Dependency of python3-macaroonbakery.

3. Security:
No CVE's

4. QA:
0 bugs in debian/ubuntu

5. UI standards:
None

6. Dependencies:
All in main

7. Standards:
No lintian errors.

Uses standards version 3.9.8

Packaged with debhelper. Source format is 3.0 (quilt)

8. Maintenance:
Easy.

9. Background information:
PyNaCl is a Python binding to the Networking and Cryptography library. This is a dependency for python3-macaroonbakery.

summary: - [MIR] py-macaroon-bakery,
+ [MIR] py-macaroon-bakery, protobuf, pyrfc3339
description: updated
description: updated
Matthias Klose (doko) wrote :

python3-pymacaroons still depends on python-nacl. However the MIR is for python-libncal. Can we remove one from the archive?

Changed in py-macaroon-bakery (Ubuntu):
status: New → Incomplete
Matthias Klose (doko) wrote :

protobuf already is in main

Changed in protobuf (Ubuntu):
status: New → Invalid
Andres Rodriguez (andreserl) wrote :

09:27 < roaksoax> doko: TBH, no idea as i've not looked at what the differences are, but will take a look
09:38 < doko> roaksoax: maybe you could ask cjwatson about the differences in python-nacl and python-libnacl, he is one of the Debian uploaders
09:39 < roaksoax> doko: that's what I waas planning on doing :)
09:42 < cjwatson> different upstream projects with incompatible APIs
09:43 < cjwatson> more or less similar functions
09:43 < cjwatson> but AIUI switching from one to the other is basically a rewrite

Changed in py-macaroon-bakery (Ubuntu):
status: Incomplete → New
Andres Rodriguez (andreserl) wrote :
description: updated
description: updated

python-nacl is missing a team subscriber.

I'm reviewing these source packages.

Changed in python-nacl (Ubuntu):
status: New → Incomplete
Changed in pyrfc3339 (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in py-macaroon-bakery (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in python-nacl (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in pyrfc3339 (Ubuntu):
status: New → Triaged
Changed in py-macaroon-bakery (Ubuntu):
status: New → Triaged
Andres Rodriguez (andreserl) wrote :

Added a team subscriber

Changed in python-nacl (Ubuntu):
status: Incomplete → New

pyrfc3339 looks good and straightforward to me; MIR approved.

Changed in pyrfc3339 (Ubuntu):
status: Triaged → Fix Committed
Steve Langasek (vorlon) wrote :

Override component to main
pyrfc3339 1.0-4 in bionic: universe/misc -> main
python-rfc3339 1.0-4 in bionic amd64: universe/python/optional/100% -> main
python-rfc3339 1.0-4 in bionic arm64: universe/python/optional/100% -> main
python-rfc3339 1.0-4 in bionic armhf: universe/python/optional/100% -> main
python-rfc3339 1.0-4 in bionic i386: universe/python/optional/100% -> main
python-rfc3339 1.0-4 in bionic ppc64el: universe/python/optional/100% -> main
python-rfc3339 1.0-4 in bionic s390x: universe/python/optional/100% -> main
python3-rfc3339 1.0-4 in bionic amd64: universe/python/optional/100% -> main
python3-rfc3339 1.0-4 in bionic arm64: universe/python/optional/100% -> main
python3-rfc3339 1.0-4 in bionic armhf: universe/python/optional/100% -> main
python3-rfc3339 1.0-4 in bionic i386: universe/python/optional/100% -> main
python3-rfc3339 1.0-4 in bionic ppc64el: universe/python/optional/100% -> main
python3-rfc3339 1.0-4 in bionic s390x: universe/python/optional/100% -> main
Override [y|N]? y
13 publications overridden.

Changed in pyrfc3339 (Ubuntu):
status: Fix Committed → Fix Released

py-macaroons-bakery looks good to me; MIR approved.

Changed in py-macaroon-bakery (Ubuntu):
status: Triaged → Fix Committed

python-nacl should be reviewed by the Security Team since it deals with crypto, otherwise it looks fine to me. I have not done an in-depth code review of the upstream source.

Changed in python-nacl (Ubuntu):
status: New → Incomplete
assignee: Mathieu Trudel-Lapierre (cyphermox) → Ubuntu Security Team (ubuntu-security)
Steve Langasek (vorlon) wrote :

Override component to main
py-macaroon-bakery 1.1.3-1 in bionic: universe/misc -> main
python3-macaroonbakery 1.1.3-1 in bionic amd64: universe/python/optional/100% -> main
python3-macaroonbakery 1.1.3-1 in bionic arm64: universe/python/optional/100% -> main
python3-macaroonbakery 1.1.3-1 in bionic armhf: universe/python/optional/100% -> main
python3-macaroonbakery 1.1.3-1 in bionic i386: universe/python/optional/100% -> main
python3-macaroonbakery 1.1.3-1 in bionic ppc64el: universe/python/optional/100% -> main
python3-macaroonbakery 1.1.3-1 in bionic s390x: universe/python/optional/100% -> main
7 publications overridden.

Changed in py-macaroon-bakery (Ubuntu):
status: Fix Committed → Fix Released
Steve Langasek (vorlon) wrote :

FYI since the proximate dependency of maas has been promoted and therefore allowed to migrate, but python-nacl has not, this currently causes build failures of the ubuntu-server live image.

I am going to pre-promote python-nacl to unblock image builds. Security Team, can you please prioritize this review?

Changed in python-nacl (Ubuntu):
importance: Undecided → High
Seth Arnold (seth-arnold) wrote :

I reviewed python-nacl version 1.1.2-1build1 as checked into bionic. This
isn't a full security audit but rather a quick gauge of maintainability.

- No CVEs in our database
- python-nacl is a shim to the libsodium library

- Build-Depends: debhelper, dh-python, libsodium-dev, python-all-dev,
  python-cffi, python-pytest, python-setuptools, python-six,
  python3-all-dev, python3-cffi, python3-pytest, python3-setuptools,
  python3-six, python3-sphinx,
- Does not daemonize
- pre/post inst/rm scripts automatically generated
- No init scripts
- No systemd unit / service files
- No DBus services
- No setuid files
- No binaries in main
- No sudo fragments
- No udev rules
- Large test suite run during the build
- No cron jobs
- Build logs have an error that seems to indicate an attempt to build
  documentation based on network-reached assets:

  > loading intersphinx inventory from http://docs.python.org/objects.inv...
  > WARNING: failed to reach any of the inventories with the following issues:
  > WARNING: intersphinx inventory 'http://docs.python.org/objects.inv' not fetchable due to <class 'requests.exceptions.ProxyError'>: ('intersphinx inventory %r not fetchable due to %s: %s', 'http://docs.python.org/objects.inv', <class 'requests.exceptions.ProxyError'>, ProxyError(...))
  >

- No subprocesses spawned
- No file IO
- Memory management looked careful
- Logging looked careful
- No environment variable use
- Extensive cryptography -- but all wrappers
- No privileged functions
- No privileged portions of code
- No temporary files
- No WebKit use
- No JavaScript use
- No JavaScript use
- No PolicyKit use

python-nacl is straight-forward FFI shim with good error checking and
a test suite with over 4000 tests. (I didn't inspect the tests, but it
surely sounds promising.)

Security team ACK for promoting python-nacl to main.

Thanks

Changed in python-nacl (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Matthias Klose (doko) wrote :

closing the python-nacl task. already promoted.

Changed in python-nacl (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.