Ubuntu
python-botocore package

[MIR] python-botocore as indirect dependency of simplestreams (simplestreams -> python-boto3 -> python-s3transfer -> python-botocore)

Bug #2061751 reported by Alberto Contreras
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-botocore (Ubuntu)
Fix Released
Undecided
Ubuntu Security Team

Bug Description

[Availability]
The package python-botocore is already in Ubuntu universe.
The package python-botocore build for the architectures it is designed to work on.
They build amd64 only (but binary is arch-all)
Link to package: https://launchpad.net/ubuntu/+source/python-botocore

[Rationale]
The package python-botocore is required in Ubuntu main for python-boto3 as an indirect dependency
The package python-botocore will not generally be useful for a large part of
our user base, but is important/helpful still because it is required by python-boto3
which is in the MIR process as a dependency of simplestreams.
python-boto3 MIR link: https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217

- The package python-botocore is required in Ubuntu main through the same scheduled requested for the python-boto3 promotion, since python-boto3 depends on it.

[Security]
- No CVEs/security issues in this software in the past:
(0)https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python-botocore
(0)https://security-tracker.debian.org/tracker/source-package/python-botocore
(0)https://ubuntu.com/security/cves?q=&package=python-botocore&priority=&version=&status=

No `suid` or `sgid` binaries
No executables in `/sbin` and `/usr/sbin`
Package does not install services, timers or recurring jobs
Packages does not open privileged ports (ports < 1024).
Package does not expose any external endpoints
Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)

[Quality assurance - function/usage]
The package works well right after install. It's a python library.

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
  not have too many, long-term & critical, open bugs
  - Ubuntu (4)https://bugs.launchpad.net/ubuntu/+source/python-botocore/+bugs
  - Debian (1)https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=python-botocore
  - Upstream's bug tracker (112)https://github.com/boto/botocore/issues
    Looks normal for the age and impact of these libraries
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package does not run a test at build time because it is not configured to do so,
the upstream source code contains unit tests
- The package does not run an autopkgtest because they are not configured to do so.

[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- Lintian does not run as part of the build
  https://launchpadlibrarian.net/715514517/buildlog_ubuntu-noble-amd64.python-botocore_1.34.46+repack-1_BUILDING.txt.gz
- Lintian output attached
- Lintian overrides are present, but ok because they are justified:

# This is a false positive, likely an occurrence of #1019980
python-botocore source: source-is-missing [docs/source/_templates/page.html]

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to debian/rules:
  https://git.launchpad.net/ubuntu/+source/python-botocore/tree/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

[Dependencies]
- No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package correctly follows FHS and Debian Policy

[Maintenance/Owner]
- The owning team will be Ubuntu Server and I have their acknowledgement for
  that commitment
- The future owning team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based

[Background information]
The Package description explains the package well
Upstream Name is botocore
Link to upstream project https://github.com/boto/botocore

See original description
Tags: sec-4084
Revision history for this message
Alberto Contreras (aciba) wrote :

$ lintian --pedantic python-botocore_1.34.46+repack-1.dsc
P: python-botocore source: package-uses-old-debhelper-compat-version 12
P: python-botocore source: silent-on-rules-requiring-root [debian/control]

description: updated
description: updated
Alberto Contreras (aciba)
summary: - [MIR] python-botocore as dependency of python-s3transfer
+ [MIR] python-botocore as indirect dependency of simplestreams
+ (simplestreams -> python-boto3 -> python-s3transfer -> python-botocore)
Christian Ehrhardt  (paelzer)
Changed in python-botocore (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)
Revision history for this message
Alberto Contreras (aciba) wrote :

I am working on adding build / autopkg tests in https://code.launchpad.net/~aciba/ubuntu/+source/python-botocore/+git/python-botocore/+merge/464419

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.3 KiB)

Review for Source Package: python-botocore

[Summary]

Being developed in sync with python-boto3 this is almost a copy and paste of
the other review except small changes in a few places.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

List of specific binary packages to be promoted to main: python3-botocore

Specific binary packages built, but NOT to be promoted to main: <none>

This does need a security review, so I'll assign ubuntu-security

Some special conditions apply, please read bug 2061217 which has all those
details.

Required TODOs:
- #1 please add testing as discussed. I've spoken with Alberto and he is
     already on extending the package to have proper tests.

[Rationale, Duplication and Ownership]
There is another package in main providing the same functionality: python-boto.
That was split in python-boto3 (bug 2061217) and python-botocore (this).
But that alternative is outdated and discontinued and this request is about
replacing the unmaintainable (and incompatible with the python in noble) old
version with the new one.
=> OK

A team is committed to own long term maintenance of this package.
=> Server, team-subscription already added

The rationale given in the report seems valid and useful for Ubuntu,
for simplestreams via the dependency as reported and for other users of
the library.

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- other Dependencies to MIR due to this, cases are already open and linked here

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (being a lib only it can not yet know the use-case
  and thereby not define profiles)

Problems:
- does parse data formats in its interaction with the cloud. Since
  many other things nowadays also provide AWS compatible backends one
  can not safely assume the source can always be trusted.
- does use centralized online accounts to access the privileged AWS resources

[Common blockers]
OK:
- does not FTBFS currently
- This does not need special HW for build or test
- Python package, but using dh_python

Problems:
- does not have a test suite that runs at build time
  - test suite fails will fail the build upon...

Read more...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Assigning to security

Please see https://bugs.launchpad.net/ubuntu/+source/python-boto3/+bug/2061217/comments/8 for details on delayed security reviews and why we want to accept this already.

Changed in python-botocore (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → Ubuntu Security Team (ubuntu-security)
Christian Ehrhardt  (paelzer)
Changed in python-botocore (Ubuntu):
status: New → Fix Committed
Mark Esler (eslerm)
tags: added: sec-4084
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Full stack is ready now

Override component to main
python-botocore 1.34.46+repack-1ubuntu1 in noble: universe/misc -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble amd64: universe/python/optional/100% -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble arm64: universe/python/optional/100% -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble armhf: universe/python/optional/100% -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble i386: universe/python/optional/100% -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble ppc64el: universe/python/optional/100% -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble riscv64: universe/python/optional/100% -> main
python3-botocore 1.34.46+repack-1ubuntu1 in noble s390x: universe/python/optional/100% -> main
Override [y|N]? y
8 publications overridden.

Changed in python-botocore (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.