I reviewed python-oslo.metrics 0.3.0-0ubuntu1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. ANY
OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.
python-oslo.metrics is a middleware between statistics publishers and
statistics collectors.
- Processes spawned?
None
- Memory management?
None
- File IO?
None
- Logging?
Looks fine
- Environment variable usage?
None
- Use of privileged functions?
None
- Use of cryptography / random number sources etc?
None
- Use of temp files?
The socket is stored in /var/tmp/metrics_collector.sock -- permissions
look wrong.
- Use of networking?
Unix domain socket, permissions look wrong.
- Use of WebKit?
None
- Use of PolicyKit?
None
- Any significant cppcheck results?
None
- Any significant Coverity results?
None (probably broken)
- Any significant shellcheck results?
None
- Any significant bandit results?
Unix domain socket in /var/tmp
python-oslo.metrics is pretty short and doesn't seem all that
complicated.
I'm starting to wonder if there's just plain too many OpenStack packages
these days; when I started this package, there wasn't a way to report bugs
in it, and my attempts to get help on irc lead nowhere. Once it was
possible to file bugs, my bug report didn't get much traction. (Almost
understandable, it's not hugely important.) But it does give me the
impression that the openstack security team may be spread too thin.
Security team ACK for promoting python-oslo.metrics to main. Ideally,
Corey's fix for the permissions would land in the archive before we ship
it.
I reviewed python-oslo.metrics 0.3.0-0ubuntu1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. ANY
OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.
python-oslo.metrics is a middleware between statistics publishers and
statistics collectors.
- CVE History: pkg-tools, setuptools, Depends- Indep: oslo.config (>= 1:6.9.0), oslo.utils (>= 3.41.0), prometheus- client (>= 0.6.0),
- none
- Build-Depends?
debhelper-compat (= 12),
dh-python,
openstack-
python3-all,
python3-pbr (>= 3.1.1),
python3-
Build-
python3-
python3-oslo.log (>= 3.44.0),
python3-
python3-
python3-oslotest (>= 1:3.2.0),
python3-stestr (>= 2.0.0),
- pre/post inst/rm scripts?
dh_python3 blocks
- init scripts?
none
- systemd units?
none
- dbus services?
none
- setuid binaries?
none
- binaries in PATH?
oslo-metrics
- sudo fragments?
none
- polkit files?
none
- udev rules?
none
- unit tests / autopkgtests?
Very short, run during build
The autopkgtests have a warning:
UserWarning: Deprecate: ostestr command is deprecated now. Use stestr command instead.
- cron jobs?
none
- Build logs:
Clean
- Processes spawned? metrics_ collector. sock -- permissions
None
- Memory management?
None
- File IO?
None
- Logging?
Looks fine
- Environment variable usage?
None
- Use of privileged functions?
None
- Use of cryptography / random number sources etc?
None
- Use of temp files?
The socket is stored in /var/tmp/
look wrong.
- Use of networking?
Unix domain socket, permissions look wrong.
- Use of WebKit?
None
- Use of PolicyKit?
None
- Any significant cppcheck results?
None
- Any significant Coverity results?
None (probably broken)
- Any significant shellcheck results?
None
- Any significant bandit results?
Unix domain socket in /var/tmp
python-oslo.metrics is pretty short and doesn't seem all that
complicated.
I'm starting to wonder if there's just plain too many OpenStack packages
these days; when I started this package, there wasn't a way to report bugs
in it, and my attempts to get help on irc lead nowhere. Once it was
possible to file bugs, my bug report didn't get much traction. (Almost
understandable, it's not hugely important.) But it does give me the
impression that the openstack security team may be spread too thin.
Security team ACK for promoting python-oslo.metrics to main. Ideally,
Corey's fix for the permissions would land in the archive before we ship
it.
__main__.py main(): os.chmod( socket_ path, stat.S_IRWXU | stat.S_IRWXO) -- /bugs.launchpad .net/ubuntu/ +source/ python- oslo.metrics/ +bug/1945533
https:/