Ubuntu
pykerberos package

[MIR] python-requests-kerberos and pykerberos (deps of python-keystoneauth1)

Bug #1620293 reported by Matthias Klose
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pykerberos (Ubuntu)
Invalid
Undecided
Ubuntu Security Team
python-requests-kerberos (Ubuntu)
Invalid
Undecided
Mathieu Trudel-Lapierre
Ubuntu ubuntu-17.05

Bug Description

[MIR] python-requests-kerberos and pykerberos (deps of python-keystoneauth1)

Tags: yakkety
Matthias Klose (doko)
Changed in pykerberos (Ubuntu):
status: New → Incomplete
Michael Terry (mterry)
Changed in pykerberos (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Mathieu Trudel-Lapierre (cyphermox)
Changed in python-requests-kerberos (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in pykerberos (Ubuntu):
status: Incomplete → In Progress
Changed in python-requests-kerberos (Ubuntu):
status: Incomplete → In Progress
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

python-requests-kerberos looks good; it appears to be well-maintained in Debian and Ubuntu, and is a simple package that relies on python-requests which is already in main. However, it is blocked by pykerberos, which appears to be missing hardening flags:

N: Processing binary package python3-kerberos (version 1.1.5-2build1, arch amd64) ...
I: python3-kerberos: hardening-no-bindnow usr/lib/python3/dist-packages/kerberos.cpython-35m-x86_64-linux-gnu.so
N: ----
N: Processing binary package python-kerberos (version 1.1.5-2build1, arch amd64) ...
I: python-kerberos: hardening-no-bindnow usr/lib/python2.7/dist-packages/kerberos.so

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

python-requests-kerberos and pykerberos are also missing a team subscriber; a team that will look after bugs in these packages.

pykerberos is a little worrying in that the last changes happened over a year ago, and there has been a new upstream version since June that hasn't been packaged. It's not horrible yet, as it appears to be a fairly regularly maintained project upstream, but it may be missing an active maintainer team to look after the package in Debian and Ubuntu. The new upstream version should be packaged.

Team subscriber is definitely a blocker, and so is enabling hardening for pykerberos. Given that pykerberos deals with potentially sensitive auth/authz information, it should be reviewed by the security team.

Changed in pykerberos (Ubuntu):
status: In Progress → Incomplete
Changed in python-requests-kerberos (Ubuntu):
status: In Progress → Incomplete
Changed in pykerberos (Ubuntu):
assignee: Mathieu Trudel-Lapierre (cyphermox) → Ubuntu Security Team (ubuntu-security)
Mathieu Trudel-Lapierre (cyphermox)
Changed in python-requests-kerberos (Ubuntu):
milestone: none → ubuntu-17.03
Mathieu Trudel-Lapierre (cyphermox)
Changed in python-requests-kerberos (Ubuntu):
milestone: ubuntu-17.03 → ubuntu-17.05
Revision history for this message
James Page (james-page) wrote :

This was an optional dependency; no direct requirement to pull into main, so marking both bug tasks as Invalid.

Changed in pykerberos (Ubuntu):
status: Incomplete → Invalid
Changed in python-requests-kerberos (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.