[MIR] python-boto3 as a dependency of simplestreams
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-boto3 (Ubuntu) |
Fix Committed
|
Undecided
|
Ubuntu Security Team |
Bug Description
[Availability]
The package python-boto3 is already in Ubuntu universe.
The package python-boto3 build for the architectures it is designed to work on.
They build amd64 only (but binary is arch-all)
Link to package: https:/
[Rationale]
Simplestreams itself is in main for quite a while since bug 1220427.
The package python-boto3 is required in Ubuntu main for simplestreams
The package python-boto3 will not generally be useful for a large part of
our user base, but is important/helpful still because it is required by simplestreams
Additionally new use-cases enabled by this are demoting python-boto to universe because
the only reverse depency in main is simplestreams and debian is going to drop support
for python-boto, see LP: 2052437
The package python-boto3 is a new runtime dependency of package simplestreams that
we already support
python-boto is not compatible with python3.12, the only python supported in noble, thus
to commit to a long term support of simplestreams, it's better to depend on dependencies
that have upstream support
The package python-boto3 is required in Ubuntu main no later than noble is released
due to being required by a new upload of simplestreams in noble-proposed to make it
work on python3.12 and to be able to drop python-boto from noble archives.
python-s3transfer is a binary dependency of python-boto3
python-botocore is a binary dependency of python-s3transfer
[Security]
- No CVEs/security issues in this software in the past:
(0)https:/
(0)https:/
(0)https:/
No `suid` or `sgid` binaries
No executables in `/sbin` and `/usr/sbin`
Package does not install services, timers or recurring jobs
Packages does not open privileged ports (ports < 1024).
Package does not expose any external endpoints
Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
The package works well right after install. It's a python library.
[Quality assurance - maintenance]
- The package is maintained well in Debian/
not have too many, long-term & critical, open bugs
- Ubuntu (2)https:/
- Debian (0)https:/
- Upstream's bug tracker (192)https:/
Looks normal for the age and impact of these libraries
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because it is not configured to do so,
the upstream source code contains unit tests
- The package does not run an autopkgtest because they are not configured to do so.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian does not run as part of the build
https:/
- Lintian output attached
- Lintian overrides are present, but ok because they are justified:
# This is a false positive, likely an occurrence of #1019980
python-boto3 source: source-is-missing [docs/source/
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to debian/rules:
https:/
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- There are further dependencies that are not yet in main, MIR for them
is at:
- python-s3trasnfer: https:/
- python-botocore: https:/
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be Ubuntu Server and I have their acknowledgement for
that commitment
- The future owning team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
[Background information]
The Package description explains the package well
Upstream Name is boto3
Link to upstream project https:/
description: | updated |
description: | updated |
description: | updated |
no longer affects: | python-botocore (Ubuntu) |
no longer affects: | python-s3transfer (Ubuntu) |
summary: |
- [MIR] python-boto3 + [MIR] python-boto3 as a dependency of simplestreams |
description: | updated |
Changed in python-boto3 (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in python-boto3 (Ubuntu): | |
status: | New → Fix Committed |
tags: | added: sec-4082 |
I am going to start working on the MIR template.