[MIR] python-aws-requests-auth package
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-aws-requests-auth (Ubuntu) |
Fix Released
|
Undecided
|
Utkarsh Gupta | ||
Bionic |
Fix Released
|
Undecided
|
Utkarsh Gupta | ||
Focal |
Fix Released
|
Undecided
|
Utkarsh Gupta | ||
Groovy |
Fix Released
|
Undecided
|
Utkarsh Gupta | ||
Hirsute |
Fix Released
|
Undecided
|
Utkarsh Gupta |
Bug Description
[Availability]
python-
[Rationale]
This package is to be included in AWS cloud images the public cloud team builds going back to Bionic. As cloud images are to ship only packages from main this request is to see that happen.
[Security]
As there is network communication to authenticate this warrants a security review. The good news is the entire package is a couple of hundred lines of python.
[Quality assurance]
There are currently 0 open bug reports (excluding this one) about the package in Ubuntu or Debian.
[Dependencies]
python and python-requests, both in main already
[Standards compliance]
$ lintian python-
W: python-
[Maintenance]
Foundations team
[Background information]
This package allows you to authenticate to AWS with Amazon's signature version 4 signing process with the python requests library.
Upstream:
https:/
Launchpad page:
https:/
Ubuntu bugs:
https:/
Debian Package Tracker:
https:/
Debian bugs:
https:/
Related branches
- Sergio Durigan Junior: Needs Information
-
Diff: 11 lines (+1/-0)1 file modifiedsupported-misc-servers (+1/-0)
- Sergio Durigan Junior: Pending requested
-
Diff: 11 lines (+1/-0)1 file modifiedsupported-misc-servers (+1/-0)
- Sergio Durigan Junior: Pending requested
-
Diff: 11 lines (+1/-0)1 file modifiedsupported-misc-servers (+1/-0)
- Sergio Durigan Junior: Pending requested
-
Diff: 11 lines (+1/-0)1 file modifiedsupported-misc-servers (+1/-0)
- Sergio Durigan Junior: Approve
-
Diff: 11 lines (+1/-0)1 file modifiedsupported-misc-servers (+1/-0)
description: | updated |
description: | updated |
Changed in python-aws-requests-auth (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in python-aws-requests-auth (Ubuntu): | |
assignee: | Matthieu Clemenceau (mclemenceau) → nobody |
Changed in python-aws-requests-auth (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in python-aws-requests-auth (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in python-aws-requests-auth (Ubuntu Groovy): | |
status: | In Progress → Fix Committed |
Changed in python-aws-requests-auth (Ubuntu Hirsute): | |
status: | In Progress → Fix Committed |
[Summary] aws-requests- auth
MIR Team ack, but a few follow-ups are needed to complete.
This does need a security review.
List of specific binary packages to be promoted to main: python3-
Required TODOs:
- subscriber was suggested to be foundations, but I'd need foundations
to say that they are ok with that.
@Matt - I'm assigning to you so you can make that call. If you agree
subscribe Foundations-bugs (or at least confirm that you will do so
eventually) - once done please assign ubuntu-security who is the next
team that has to look at this.
Recommended TODOs:
- the source has tests, but they don't run at build time.
Fixing that should be some easy extra coverage.
@Josh/@Matt - do you have someone who could look at this?
[Duplication]
There is no other package in main providing the same functionality.
python3-awsauth comes close, but is not in main, and limited to just S3.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning (none)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
Problems:
- does not parse data formats
- does not deal with system authentication - not for the local system, but
authentication it is. As Josh outlined this gladly is rather small, so
it might be quick.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest (although superficial)
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python
Problems: requests_ auth/tests/ test_boto_ utils.py requests_ auth/tests/ test_aws_ auth.py
- does not have a test suite that runs at build time
There would be these:
./aws_
./aws_
Which for some reason are not discovered on python3.9 -m unittest discover -v
at build time, fixing that up would help to get this more stable.
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is slow but ok (not much movement)
- Debian/Ubuntu update history is slow but ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks