Ubuntu
python-libnacl package

  1. Bug #1817327
  2. Comment #3

Comment 3 for bug 1817327

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[Duplication]
This is no duplication case, but it is special and worth to mention:
- https://github.com/saltstack/libnacl
- https://github.com/pyca/pynacl

In latter releases the stack depends on the latter and that is fully in main already.
In older releases it was using the former.
I appreciate not trying to SRU a change of the bindings to the other package as that would IMHO not be SRUable.

Eventually for any given release there will only be one nacl python binding in main which is ok.
Also this only changes the past and future versions will not need libnacl.

[Embedded sources and static linking]
- no embedded other sources
- no static linking
- no golang

[Security]
- no known CVEs
- no daemon
- no root usage (it is only a lib/binding after all)
- does not deal with pam/authentication
although:
- it will (through libsodium) parse data formats
- it is used to access crypto functions and therefore is sensitive

[Common blockers]
- builds fine last time in Xenial
- Testsuite is running and blocking build on Xenial as well as on newer versions
- the maas team is already subscribed to the package
- no user visible output that needs translation
- only python3 dependencies are used (but then for Xenial/Trusty this wouldn't even be important)
- dh_python is in use

[Packaging red flags]
- Ubuntu delta is only the backport (LP: #1586770)?
- no symbols
- debian/watch present
- updates happened rarely but since we only go for Xenial/Trusty that isn't too important anyway
- no massive Lintian warnings (things out of date, but that is ok as it is ~3 years old now)
- very clean d/rules (almost only dh @)

[Upstream red flags]
- no build errors on the Xenial version that will be added to main
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no longstanding bugs
- no dependency on webkit, qtwebkit, seed or libgoa-*

[Summary]
This seems reasonably supportable in X/T unless the security team spots something from their scope of expertise.
I'll ack this from the MIR teams POV, but it needs security review as outlined above.
Assigning to security.

Notes/TODOs:
@Chad - since this wasn't built a long time in Xenial and never before in Trusty. Could you please provide a PPA that builds the set of three packages in both Releases?
@Security - just like back with [1] there should be a security review as it deals with crypto. But given it is mostly a binding/wrapper to libsodium it should not have too much logic to make this complex.

[1]: https://bugs.launchpad.net/ubuntu/+source/python-nacl/+bug/1747460/comments/10