Comment 2 for bug 1820216

I reviewed python-django-gravatar2 version 1.4.2-3 as checked into
disco. This should not be considered a full security audit, but rather a
quick gauge of maintainability.

- There are no prior CVEs against the package
- Build depends:
           debhelper (>= 11),
           dh-python,
           python-all,
           python-setuptools,
           python3-all,
           python3-setuptools

- does not daemonize
- no initscripts
- no dbus services
- no setuid files
- no sudo fragments
- no udev rules
- does not fork
- Test suite performs thorough testing. Some tests rely on internet
  access. These tests are NOT run during build.
- no cronjobs
- no logging (not applicable)
- This project has had no activity in the past 1.5 years.
- does not use WebKit
- does not use PolicyKit
- does not use Javascript
- no memory management concerns

The URL returned by gravatar_url() is escaped, whereas the URL returned
in gravatar_profile_url() is not. A pull request has been submitted
upstream to rectify this.
https://github.com/twaddington/django-gravatar/pull/29

Some functions are capable of raising exceptions but provide no
documentation or indication to the user that exceptions may be raised.
Exceptions should be caught by django and transformed into HTTP 500
errors, so no there is theoretically no harm.

ACK from the security team for promoting to main