Comment 3 for bug 686257

- No bug report in Debian; very calm Debian maintenance, there's a much newer upstream version 0.5 which didn't get packaged.
- Two non-critical bug reports in Ubuntu, one is fixed upstream in 0.5.
- Version 0.5 indeed looks a lot better, as it removes a lot of code duplication and uses more existing libraries (like libgnome-keyring). This version should be packaged first.
- Relatively small package, most of which is glue code.
- The main problem that I see here is that it's handling a lot of passwords, and doesn't use any kind of mlock()-like protection anywhere. So passwords are copied around a lot and get easily written to disk unencrypted, once this gets into swap.
- No i18n or usability issues, it's a backend library.
- Not actively maintained in Ubuntu.

Aside from this, it needs to be investigated what launchpadlib now does with this module. Previously it stored its cookie files on disk in ~/.launchpadlib.., and it seems this change will not only break the existing credentials files, but might also cause trouble with using launchpadlib on servers, where no native keyring servers are available. python-keyring has its own native implementation using python-crypto (Recommends:, already in main), but I haven't reviewed this for security. Perhaps Kees can take a look at this?