Comment 1 for bug 1427861

I've reviewed python-bcrypt 0.4-2ubuntu1 in Vivid. Due to
time-constraints, this should not be considered a full audit. Here are
some interesting points taken from my review notes:

= Code =

 * CVE history
   - CVE-2013-1895 was assigned for an issue that could allow an
     attacker to log in as another user if a threaded application used
     py-bcrypt.
   - The initial bug report was ignored for a few months but the
     security impact of the bug was unknown at that time. When someone
     else pointed out the security impact, a fix was apparently released
     within an hour.

 * What does the package do? What are the interfaces between it and the
   user, between it and 3rd parties?
   - The package implements bcrypt password hashing for Python
     applications. Applications interact with it to securely store
     hashed passwords.

 * Build-deps?
   - Only core Python and C library build deps
   - Implements its own blowfish and sha2 and combines them to implement
     pbkdf2

 * No daemons, no init scripts, no DBus, no setuid binaries, no binaries
   in $PATH, no sudo fragments, no udev rules, no cron jobs, no
   subprocesses spawned, clean memory management/handling, no file I/O,
   no network usage, no logging, no env variable usage, no privileged
   operations

 * Test suite? How does it interact with the code?
   - PyUnit tests which run through a number of test vectors to verify
     that a known set of inputs always outputs the expected value and
     that known bad inputs results in different outputs.
   - The tested vectors didn't match up with any other bcrypt test
     vectors that I could find so I updated the test suite with some
     test vectors from John the Ripper's bcrypt tests and verified that
     the tests still pass.

 * Clean build logs

 * Static analysis tools (rats, flawfinder, cppcheck) gave it a clean
   bill of health

= Packaging =

 * The Ubuntu delta is to enable to tests (verify test vectors) at build
   time

 * Packaging is clean and has no complexity

 * Does it have a bug subscriber in Ubuntu? Ideally some team in Ubuntu
   is looking after the package.
   - No

 * Does it have a watch file?
   - Yes but it points to code.google.com which is shutting down later
     this year

 * Current release is packaged but there hasn't been any new commits in
   the last 1.5 years
   - Probably not an issue as there are no serious open bugs and the
     code can probably be considered "feature complete"
   - Backporting security fixes should be easy since there's not any
     churn

 * No applicable, open bugs in Debian BTS or Launchpad

The code is small. I don't like that it implements its own crypto but,
considering what the package does, it seems acceptable.

Security Team ACK for promoting to main, conditional on doko (or someone
else) subscribing to the package's bug reports.