[MIR] python-cryptography, python-cffi, pycparser, enum34
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | enum34 (Ubuntu) |
High
|
Unassigned | ||
| | pycparser (Ubuntu) |
Undecided
|
Unassigned | ||
| | python-cffi (Ubuntu) |
Undecided
|
Unassigned | ||
| | python-cryptography (Ubuntu) |
High
|
Unassigned | ||
| | python-cryptography-vectors (Ubuntu) |
Undecided
|
Unassigned | ||
| | python-pretend (Ubuntu) |
Undecided
|
Unassigned | ||
Bug Description
[Background information]
pyopenssl 0.14 has rewritten custom python C extension binding to using cffi interface to openssl.
At the same time the upstream packages have been split - thus pyopenssl is purepython now, but depends on python-cryptography -> python-cffi -> pycparser to build & run.
pyopenssl is in main already.
python-cryptography packaging has been tweaked to drop test only dependency, and move them to autopackagetests alone. Such that we don't need to MIR all of those. (E.g. pypy and friends). Thus the test suite is executed as an autopackage test only, rather than at build time.
[Availability]
pycparser & python-cffi are in universe
[Rationale]
to keep pyopenssl, which is required for ubuntu-sso-client and OpenStack clients in main.
[Security]
Dangerous crypto-facing code...
[Quality assurance]
Testsuite present and enforced via autopackagetests.
[Dependencies]
These are the dependencies:
pycparser, python-cffi, python-cryptography
[Standards compliance]
Gains TLS 1.1 & 1.2 support in pyopenssl
[Maintenance]
Server/Cloud Teams ?
Related branches
| Steve Langasek (vorlon) wrote : | #1 |
| Changed in python-cryptography (Ubuntu): | |
| assignee: | nobody → Dimitri John Ledkov (xnox) |
| Steve Langasek (vorlon) wrote : | #2 |
(dependency details at http://
| Dimitri John Ledkov (xnox) wrote : | #3 |
meh, that looks horrible. And we don't want pypy in main just yet =(
| no longer affects: | python-cryptography-vectors (Ubuntu) |
| description: | updated |
| Changed in python-cffi (Ubuntu): | |
| assignee: | nobody → Dimitri John Ledkov (xnox) |
| Changed in pycparser (Ubuntu): | |
| assignee: | nobody → Dimitri John Ledkov (xnox) |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package python-cryptography - 0.6.1-1ubuntu1
---------------
python-cryptography (0.6.1-1ubuntu1) vivid; urgency=medium
* Do not run build time test-suite, due to test requirements in
universe, instead add them to debian/
autopackage
gatekeeper. (LP: #1430082)
-- Dimitri John Ledkov <email address hidden> Wed, 11 Mar 2015 22:44:59 +0000
| Changed in python-cryptography (Ubuntu): | |
| status: | New → Fix Released |
| Changed in python-cryptography (Ubuntu): | |
| status: | Fix Released → New |
| assignee: | Dimitri John Ledkov (xnox) → nobody |
| Changed in python-cffi (Ubuntu): | |
| assignee: | Dimitri John Ledkov (xnox) → nobody |
| Changed in pycparser (Ubuntu): | |
| assignee: | Dimitri John Ledkov (xnox) → nobody |
| summary: |
- [MIR] python-cryptography + [MIR] python-cryptography, python-cffi, pycparser |
| Changed in python-cryptography (Ubuntu): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in python-cffi (Ubuntu): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in pycparser (Ubuntu): | |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in python-cryptography (Ubuntu): | |
| assignee: | Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security) |
| Changed in python-cffi (Ubuntu): | |
| assignee: | Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security) |
| Changed in pycparser (Ubuntu): | |
| assignee: | Jamie Strandboge (jdstrand) → Ubuntu Security Team (ubuntu-security) |
I don't like the way that python-cryptography is dropping the tests. python-
| Changed in python-pretend (Ubuntu): | |
| status: | New → In Progress |
| Changed in python-cryptography-vectors (Ubuntu): | |
| assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
| Barry Warsaw (barry) wrote : | #6 |
For enum34:
[Availability]
In universe since Trusty.
[Rationale]
Used by some packages that want enum support in older Python versions. Used by python-cryptography (another package in this MIR).
[Security]
No known security issues. None to be expected really, since it only provides a basic data type.
[Quality assurance]
Bugs are well tracked upstream. Code is well tested in upstream Python.
[Dependencies]
None other than Python itself.
[Standards compliance]
Meets Debian and Debian Python standards.
[Maintenance]
Package is well maintained upstream by Python's enum stdlib maintainer, and in Debian by the DPMT and myself.
[Background information]
enum34 is a standalone version of the Python 3.4 stdlib enum package. It's compatible with older Python 3 and Python 2 versions and is often used to provide cross-version compatibility in packages that want to use enums in older Python versions.
| summary: |
- [MIR] python-cryptography, python-cffi, pycparser + [MIR] python-cryptography, python-cffi, pycparser, enum34 |
| James Page (james-page) wrote : | #7 |
+1'ing this MIR for OpenStack Kilo on vivid as well
Keystone has introduced a new token format requiring python-cryptography and python-glance-store needs enum34.
| Changed in python-cryptography (Ubuntu): | |
| importance: | Undecided → High |
| Changed in enum34 (Ubuntu): | |
| importance: | Undecided → High |
| Matthias Klose (doko) wrote : | #8 |
python-pretend is a 3k module providing stubbing for test writers. Looks good to me, no open bug reports, both Debian and upstream.
Override component to main
python-pretend 1.0.8-1ubuntu1 in vivid: universe/misc -> main
python-pretend 1.0.8-1ubuntu1 in vivid amd64: universe/
python-pretend 1.0.8-1ubuntu1 in vivid arm64: universe/
python-pretend 1.0.8-1ubuntu1 in vivid armhf: universe/
python-pretend 1.0.8-1ubuntu1 in vivid i386: universe/
python-pretend 1.0.8-1ubuntu1 in vivid powerpc: universe/
python-pretend 1.0.8-1ubuntu1 in vivid ppc64el: universe/
python3-pretend 1.0.8-1ubuntu1 in vivid amd64: universe/
python3-pretend 1.0.8-1ubuntu1 in vivid arm64: universe/
python3-pretend 1.0.8-1ubuntu1 in vivid armhf: universe/
python3-pretend 1.0.8-1ubuntu1 in vivid i386: universe/
python3-pretend 1.0.8-1ubuntu1 in vivid powerpc: universe/
python3-pretend 1.0.8-1ubuntu1 in vivid ppc64el: universe/
13 publications overridden.
| Changed in python-pretend (Ubuntu): | |
| status: | In Progress → Fix Released |
| Matthias Klose (doko) wrote : | #9 |
ok, looks good.
Override component to main
enum34 1.0.3-1 in vivid: universe/misc -> main
python-enum34 1.0.3-1 in vivid amd64: universe/
python-enum34 1.0.3-1 in vivid arm64: universe/
python-enum34 1.0.3-1 in vivid armhf: universe/
python-enum34 1.0.3-1 in vivid i386: universe/
python-enum34 1.0.3-1 in vivid powerpc: universe/
python-enum34 1.0.3-1 in vivid ppc64el: universe/
python-enum34-doc 1.0.3-1 in vivid amd64: universe/
python-enum34-doc 1.0.3-1 in vivid arm64: universe/
python-enum34-doc 1.0.3-1 in vivid armhf: universe/
python-enum34-doc 1.0.3-1 in vivid i386: universe/
python-enum34-doc 1.0.3-1 in vivid powerpc: universe/
python-enum34-doc 1.0.3-1 in vivid ppc64el: universe/
python3-enum34 1.0.3-1 in vivid amd64: universe/
python3-enum34 1.0.3-1 in vivid arm64: universe/
python3-enum34 1.0.3-1 in vivid armhf: universe/
python3-enum34 1.0.3-1 in vivid i386: universe/
python3-enum34 1.0.3-1 in vivid powerpc: universe/
python3-enum34 1.0.3-1 in vivid ppc64el: universe/
19 publications overridden.
| Changed in enum34 (Ubuntu): | |
| status: | New → Fix Released |
| Changed in python-cffi (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Changed in pycparser (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Matthias Klose (doko) wrote : | #10 |
python-cffi / pycparser:
The packaging looks sane, well maintained in Debian, and upstream. No bug reports in Debian and Ubuntu. From my point of view these two packages are fine, except for one odd thing, now documented in LP: #1442369, and suggesting that the python-cffi package is split into a python-cffi-runtime package and a python-cffi package. Unsure if that should be a blocker for the migration to main.
| Michael Terry (mterry) wrote : | #11 |
Yeah, agreed that python-cffi and pycparser seem fine. They need team bug subscribers though.
| James Page (james-page) wrote : | #12 |
Added ubuntu-server as team bug subscriber for pycparser and python-cffi.
| James Page (james-page) wrote : | #13 |
Ditto python-
| Changed in pycparser (Ubuntu): | |
| status: | New → Fix Committed |
| Changed in python-cffi (Ubuntu): | |
| status: | New → Fix Committed |
| Seth Arnold (seth-arnold) wrote : | #14 |
I reviewed python-cryptography version 0.8-1ubuntu2 as checked into Ubuntu
vivid. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.
- python-cryptography provides a cffi interface to OpenSSL with friendly
shims for better python integration
- Build-Depends: debhelper, dh-python, python-all-dev, python3-all-dev,
python-
python-six, python3-six, libssl-dev, python-
python-
python3-
python-pytest, python3-pytest, python-pretend, python3-pretend,
python-pyasn1, python3-pyasn1, python-enum34, python3-enum34
- This package provides both recipes for safe cryptography use as well as
a hazmat namespace for raw cryptography use. This package does not
itself daemonize or connect to the network.
- pre/post inst/rm scripts automatically generated
- No initscripts
- No dbus services
- No binaries in the path
- No setuid or setgid
- No sudo fragments
- No udev rules
- No cronjobs
- Extensive test suite with thousands of test cases run during the build
- Clean build logs
- No subprocesses are spawned
- Memory management is very complicated; Python modules implemented in C
need to manage both the python-GC system and the C unmanaged memory
allocations. There were instructive comments near some C implementations
about the proper way to manage that object type's memory, but errors
feel inevitable.
- Very few file operations itself
- Logging looked safe
- No environment variable use on Linux, looked safe on Windows
- No privileged portions of code
- Extensive cryptography, much under control of client programs
- No networking
- No temporary file handling
- No WebKit
- No javascript
- No PolicyKit
python-cryptography is intricate, involved code; Python modules and
cffi are complicated, and OpenSSL's API is dangerous at the best of
times. That said, this code looks careful -- there's good parameter
checking, asserts throughout, comments are descriptive where they are
used, documentation is good.
I did not extensively check the cryptography used; spot checks looked
fine, Fernets looked interesting.
Security team ACK for promoting python-cryptography to main.
Thanks
| Changed in python-cryptography (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Michael Terry (mterry) wrote : | #15 |
python-cryptography looks fine to me too. Approved.
| Changed in python-cryptography (Ubuntu): | |
| status: | New → Fix Committed |
| Seth Arnold (seth-arnold) wrote : | #16 |
python-
Security team ACK for promoting python-
Thanks
| Changed in python-cryptography-vectors (Ubuntu): | |
| assignee: | Ubuntu Security Team (ubuntu-security) → nobody |
| Adam Conrad (adconrad) wrote : | #17 |
Approved -vectors, and promoted along with the others.
| Changed in python-cryptography-vectors (Ubuntu): | |
| status: | New → Fix Released |
| Changed in pycparser (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Changed in python-cffi (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Changed in python-cryptography (Ubuntu): | |
| status: | Fix Committed → Fix Released |
Dimitri, this was a manual sync of pyopenssl by you. Could you please follow through on the MIR to get its dependencies into main?