Comment 13 for bug 1301108

I reviewed pyqt5 version 5.2.1+dfsg-1ubuntu1 as checked into trusty. This
is not a full security audit, but only a quick gauge of maintainability.

- pyqt5 provides python bindings for the qt library
- Build-Depends: dpkg-dev, debhelper, fdupes, libdbus-1-dev,
  libglib2.0-dev, libgstreamer0.10-dev, libgstreamer-plugins-base0.10-dev,
  libicu-dev, libpulse-dev, libqt5opengl5-dev, libqt5sensors5-dev,
  libqt5serialport5-dev, libqt5svg5-dev, libqt5webkit5-dev,
  libqt5xmlpatterns5-dev, libqt5x11extras5-dev, libsqlite3-dev,
  libudev-dev, libxml2-dev, libxslt1-dev, python3-all-dbg,
  python3-all-dev, python3-dbus, python3-dbus-dbg, python3-sip-dbg,
  python3-sip-dev python3-sphinx, python-dbus-dev, qtdeclarative5-dev,
  qtmultimedia5-dev, qtlocation5-dev, qttools5-dev
- No cryptography
- Does not itself do networking
- Does not itself daemonize
- postinst and prerm cache and remove cached binaries
- No initscripts
- No dbus services
- No setuid executables
- Three binaries in /usr/bin/
- No sudo fragments
- No udev rules
- No test suite
- No cronjobs
- Some warnings in build logs, probably not a concern

- Subprocesses rarely spawned, looked careful
- Memory management looked so-so; most failed allocations would crash
  quickly, however
- Files frequently manipulated, parameters supplied by callers
- Logging looked safe
- Environment handling looked safe
- No privileged code portions
- No cryptography
- Does not itself do networking
- No temporary files
- Does use WebKit. See discussion in this bug for details. The security
  team cannot support any webkit packages except oxide.
- Does not appear to use qtjsbackend directly
- Clean cppcheck
- No polkit

The code looked pretty clean, if complicated; most of the complication is
due to the problem being solved, though.

Security team ACK for promoting pyqt5 to main -- so long as all stakeholders
recognize that all webkit packages are entirely unsupported.