[MIR] python-oslo.metrics, python-prometheus-client

[Summary]
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main:
- python3-prometheus-client

Required TODOs:
- none
Recommended TODOs:
- Strongly recommended to update to v0.11.0 before promotion
- Better Subscribe early to the package than forgetting it later

[Duplication]
python3-django-prometheus is related but would use python-prometheus-client
to do the real work.
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (python3-decorator is in main)
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does parse data formats
- it also has a network component through python-twisted
=> That is worth a security review.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
- remember to subscribe to the package, could not find it for
  openstack-ubuntu-packagers or openstack-packagers

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- is not on the lto-disabled list

Problems:
- Debian/Ubuntu update history is not perfect, no update for a year
- the current release is not packaged (0.9 is of Nov 2020, 0.11 is current)

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

[Summary]
MIR team ACK
This does need a security review, so I'll assign ubuntu-security
List of specific binary packages to be promoted to main:
- python3-oslo.metrics

Required TODOs:
- none
Recommended TODOs:
- Better Subscribe early to the package than forgetting it later

[Duplication]
python3-ceilometermiddleware is similar but for other elements of OpenStack.
But that one would be universe anyway.
So no, there is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this (python3-prometheus-client is
  part of this MIR)
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning (there are a
  few in oslo, but none in the metrics so far)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

Problems:
- does not parse data formats
- routes messages which if crafted correctly might be a problem
=> worth a security review

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Problems:
- remember to subscribe to the package, could not find it for
  openstack-ubuntu-packagers or openstack-packagers

[Packaging red flags]
OK:
- Ubuntu does not carry a delta (still stuck in new queue there)
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good (but rather young)
- Ubuntu update history is unclear (no history yet)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- is not on the lto-disabled list

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Does anyone here know how to file bugs against oslo metrics? The link given in the CONTRIBUTING.rst:

  https://bugs.launchpad.net/oslo.metrics

currently gives:

  oslo.metrics must be configured in order for Launchpad to forward bugs to the project's developers.

Thanks

@Seth, Thanks for taking a look. That looks like the right place based on other oslo libraries. I've asked in the upstream #openstack-oslo channel to see if it needs to be enabled. I'll report back.

@Seth, upstream has enabled https://bugs.launchpad.net/oslo.metrics so we can now file bugs there.

Thank you Corey, I've filed https://bugs.launchpad.net/oslo.metrics/+bug/1945533 -- perhaps it doesn't need to remain private, but it does feel like it has security implications, so I'd like to give the OpenStack team a chance to triage it as they wish.

Thanks

I reviewed python-oslo.metrics 0.3.0-0ubuntu1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. ANY
OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.

python-oslo.metrics is a middleware between statistics publishers and
statistics collectors.

- CVE History:
  - none
- Build-Depends?
   debhelper-compat (= 12),
   dh-python,
   openstack-pkg-tools,
   python3-all,
   python3-pbr (>= 3.1.1),
   python3-setuptools,
  Build-Depends-Indep:
   python3-oslo.config (>= 1:6.9.0),
   python3-oslo.log (>= 3.44.0),
   python3-oslo.utils (>= 3.41.0),
   python3-prometheus-client (>= 0.6.0),
   python3-oslotest (>= 1:3.2.0),
   python3-stestr (>= 2.0.0),
- pre/post inst/rm scripts?
  dh_python3 blocks
- init scripts?
  none
- systemd units?
  none
- dbus services?
  none
- setuid binaries?
  none
- binaries in PATH?
  oslo-metrics
- sudo fragments?
  none
- polkit files?
  none
- udev rules?
  none
- unit tests / autopkgtests?
  Very short, run during build
  The autopkgtests have a warning:
  UserWarning: Deprecate: ostestr command is deprecated now. Use stestr command instead.
- cron jobs?
  none
- Build logs:
  Clean

- Processes spawned?
  None
- Memory management?
  None
- File IO?
  None
- Logging?
  Looks fine
- Environment variable usage?
  None
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  The socket is stored in /var/tmp/metrics_collector.sock -- permissions
  look wrong.
- Use of networking?
  Unix domain socket, permissions look wrong.
- Use of WebKit?
  None
- Use of PolicyKit?
  None

- Any significant cppcheck results?
  None
- Any significant Coverity results?
  None (probably broken)
- Any significant shellcheck results?
  None
- Any significant bandit results?
  Unix domain socket in /var/tmp

python-oslo.metrics is pretty short and doesn't seem all that
complicated.

I'm starting to wonder if there's just plain too many OpenStack packages
these days; when I started this package, there wasn't a way to report bugs
in it, and my attempts to get help on irc lead nowhere. Once it was
possible to file bugs, my bug report didn't get much traction. (Almost
understandable, it's not hugely important.) But it does give me the
impression that the openstack security team may be spread too thin.

Security team ACK for promoting python-oslo.metrics to main. Ideally,
Corey's fix for the permissions would land in the archive before we ship
it.

__main__.py main(): os.chmod(socket_path, stat.S_IRWXU | stat.S_IRWXO) --
https://bugs.launchpad.net/ubuntu/+source/python-oslo.metrics/+bug/1945533

I reviewed python-prometheus-client 0.9.0-1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-prometheus-client is a middleware layer to provide metrics for
openstack software. (It could probably be asked to work outside the
openstack ecosystem.)

- CVE History:
  None
- Build-Depends: debhelper-compat (= 13),
  Build-Depends-Indep: dh-python,
                     python3-all,
                     python3-decorator (>= 4.0.10),
                     python3-pytest,
                     python3-setuptools,
- pre/post inst/rm scripts?
  automatically added by dh_python3 -- (funny trailing space in there)
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  None
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  large selection of tests, run during build
- cron jobs?
  None
- Build logs:
  E: python-prometheus-client changes: bad-distribution-in-changes-file unstable
  (meh)

- Processes spawned?
  None
- Memory management?
  None
- File IO?
  I believe it's all under control of the application that embeds this
  middleware -- though this uses the 'prometheus_multiproc_dir'
  environment variable when constructing paths to open
- Logging?
  None
- Environment variable usage?
  'prometheus_multiproc_dir', 'HTTP_ACCEPT', 'QUERY_STRING' -- looked fine
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  Some -- though, in the same directory as the storage target, and
  'simple' constructed names. Not quite as good as mkstemp(3) but not
  blatantly out of line either.
- Use of networking?
  Yes, both as a server and as a client; both parts are under control of
  whichever program has embedded this toolkit. Probably the quality varies
  drastically between the start_http_server method vs start_wsgi_server
  method.
- Use of WebKit?
  None
- Use of PolicyKit?
  None

- Any significant cppcheck results?
  None
- Any significant Coverity results?
  Nothing substantial
- Any significant shellcheck results?
  None
- Any significant bandit results?
  Nothing substantial

This is very-generic middleware. Quite a lot of what it does will be
controlled by code elsewhere. So it's perhaps lacking checks / controls /
etc that feel like they should be here, but its inputs aren't entirely
wide open because code elsewhere should be doing something reasonable.

Security team ACK for promoting python-prometheus-client to main.

MIR and security Team Ack in place, it shows in component mismatches.
Time to ping the archive admins to promote it.

Coreycb / Jamepage: after talking with RAOF (you'll see the pings in IRC) - please upload an 0.3.0-0ubuntu2 with https://review.opendev.org/c/openstack/oslo.metrics/+/813018 - then nothing should block promoting this anymore.

Override component to main
python-oslo.metrics 0.3.0-0ubuntu2 in impish: universe/python -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish amd64: universe/python/optional/100% -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish arm64: universe/python/optional/100% -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish armhf: universe/python/optional/100% -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish i386: universe/python/optional/100% -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish ppc64el: universe/python/optional/100% -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish riscv64: universe/python/optional/100% -> main
python3-oslo.metrics 0.3.0-0ubuntu2 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
python-prometheus-client 0.9.0-1 in impish: universe/misc -> main
python3-prometheus-client 0.9.0-1 in impish amd64: universe/python/optional/100% -> main
python3-prometheus-client 0.9.0-1 in impish arm64: universe/python/optional/100% -> main
python3-prometheus-client 0.9.0-1 in impish armhf: universe/python/optional/100% -> main
python3-prometheus-client 0.9.0-1 in impish i386: universe/python/optional/100% -> main
python3-prometheus-client 0.9.0-1 in impish ppc64el: universe/python/optional/100% -> main
python3-prometheus-client 0.9.0-1 in impish riscv64: universe/python/optional/100% -> main
python3-prometheus-client 0.9.0-1 in impish s390x: universe/python/optional/100% -> main
8 publications overridden.