Comment 5 for bug 1915445

I reviewed python-aws-requests-auth 0.4.3-2 as checked into impish. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

python-aws-requests-auth is a python package for manually signing AWS requests with additional functionality to retrieve AWS credentials via boto.

- CVE History:
  - No history of CVEs
- Build-Depends?
  - debhelper-compat (= 13), dh-python, python3-all, python3-botocore, python3-mock, python3-setuptools
- pre/post inst/rm scripts?
  - Populated automatically by python debhelper
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - Unit tests passing
  - Unit tests run during build
  - Well-documented test suite
- No cron jobs
- Build logs:
  - No significant build errors or warnings
  - No lintian failures

- No processes spawned
- Memory management N/A
- No file IO
- No logging
- No environment variables
- No use of privileged functions
- Use of cryptography
  - Uses python HMAC module to sign the requests, in accordance with the official AWS examples.
- No use of temp files
- Use of networking
  - Retrieves AWS credentials with boto module in a non-core/convenience function.
- No use of WebKit
- No use of PolicyKit

- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results
- No significant bandit results

python-aws-requests-auth is not currently actively maintained upstream (https://github.com/DavidMuller/aws-requests-auth/pull/52#issuecomment-583591776), the latest PR from Feb 2021 has not been responded to. That said, the code base is small and neatly documented, heavily drawing from the existing AWS example code for it's functionality.

Security team ACK for promoting python-aws-requests-auth to main.