[MIR] python-boto3 as a dependency of simplestreams

I am going to start working on the MIR template.

Whilst looking at the package with Alberto, we found that python3-s3transfer, one of the boto3's runtime dependencies, is in Universe, too. So this needs to be MIR'd alongside python3-boto as well. Adding python-s3transfer as a task to this same bug itself. Hopefully that should be sufficient here.

python-botocore is a dependency of python-s3transfer thus it has to be MIRed too per the same reasoning as https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217/comments/2

$ lintian --pedantic python-boto3_1.34.46+dfsg-1.dsc
P: python-boto3 source: package-uses-old-debhelper-compat-version 12
P: python-boto3 source: silent-on-rules-requiring-root [debian/control]
P: python-boto3 source: trailing-whitespace [debian/changelog:80]

I am working on adding build / autopkg test in https://code.launchpad.net/~aciba/ubuntu/+source/python-boto3/+git/python-boto3/+merge/464411

Hello, the MIR process says any MIRs assigned to the security team after
the Beta Freeze deadline need to be discussed with the Director of
Security Engineering:

    For a MIR to be considered for a release, it must be assigned to the
    Security team (by the MIR team) before Beta Freeze. This does not
    guarantee that a security review can be completed by Final Release.
    Ask the director of Security for exceptions.

https://github.com/canonical/ubuntu-mir?tab=readme-ov-file#security-reviews

Please find a few minutes on Alex Burrage's calendar and schedule
a meeting.

Thanks

Review for Source Package: python-boto3

[Summary]
MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

List of specific binary packages to be promoted to main: python3-boto3

Specific binary packages built, but NOT to be promoted to main: <none>

This does need a security review, so I'll assign ubuntu-security
But it is also a bit of a special case. On one hand tests are only added right
now while I'm writing this and on the other a security review is required.
But given the context, the former outdated and unmaintained code we have in
python-boto does not have any of that.

But look at these three aspects on their own:
1. testing: In regard to testing we would not lose anything, and we would very
   soon get the testing added improving the situation.
2. security: The old code this replaces is the ancestor of the new code and
   that new code is better maintained, better split and more modern. So it
   should be better even before a review (which we should have)
3. maintenance: The old code is discontinued, we can not expect upstream support
   on issues with the old - so maintenance for bugs as well as security should
   be much better with the new stack.

Under these conditions I'd propose we allow it to be promoted now, will still
enqueue a security review and CPC/Alberto as well as Server will work on
anything found along that (if any).

Required TODOs:
- #1 please add testing as discussed. I've spoken with Alberto and he is
     already on extending the package to have proper tests.

[Rationale, Duplication and Ownership]
There is another package in main providing the same functionality: python-boto.
But that alternative is outdated and discontinued and this request is about
replacing the unmaintainable (and incompatible with the python in noble) old
version with the new one.
=> OK

A team is committed to own long term maintenance of this package.
=> Server, team-subscription already added

The rationale given in the report seems valid and useful for Ubuntu,
for simplestreams as reported and for other users of the library.

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- other Dependencies to MIR due to this, cases are already open and linked here

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, c...

To update everyone on what makes this case special, we discussed this today in the MIR meeting [1].

While everyone would have appreciated if all of this would just have happened 2 months ago that is not where we are right now and this isn't complaining - in fact we thank Alberto and CPC for picking it up at all. But due to that we are in a special situation where not-accepting it seems worse (due to the old python-boto it replaces being discontinued and outdated and incompatible) than accepting this with the requirements that we can make happen in the next few hours (see the review above).

Due to that, while no one was happy or super satisfied - we voted unanimously to allow this to be promoted in noble to demote python-boto in the same action.

The security review that we require is not expected to fit in the remaining time before the release and much less before RC images. Therefore it will be scheduled as if there would be no special urgency (usually completing in 2-4 weeks). Thereby it will not be a special urgent "change all other priority to complete it before the release" case which also answers @marks comment #6. No need to bring one more hard to deal with issue to Alex in this case.

Waiting with a state-change for the uploads with the tests to be in proposed and then planning a last check with the release team to not interfere with any RC builds (clearing -proposed is always good, but we want to be sure).

[1]: https://ubottu.com/meetingology/logs/ubuntu-meeting/2024/ubuntu-meeting.2024-04-16-14.32.moin.txt

Full stack is ready now

Override component to main
python-boto3 1.34.46+dfsg-1ubuntu1 in noble: universe/misc -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble amd64: universe/python/optional/100% -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble arm64: universe/python/optional/100% -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble armhf: universe/python/optional/100% -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble i386: universe/python/optional/100% -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble ppc64el: universe/python/optional/100% -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble riscv64: universe/python/optional/100% -> main
python3-boto3 1.34.46+dfsg-1ubuntu1 in noble s390x: universe/python/optional/100% -> main
Override [y|N]? y
8 publications overridden.