Ubuntu
python-oslo.metrics package

  1. Bug #1943143
  2. Comment #7

Comment 7 for bug 1943143

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed python-oslo.metrics 0.3.0-0ubuntu1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability. ANY
OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.

python-oslo.metrics is a middleware between statistics publishers and
statistics collectors.

- CVE History:
  - none
- Build-Depends?
   debhelper-compat (= 12),
   dh-python,
   openstack-pkg-tools,
   python3-all,
   python3-pbr (>= 3.1.1),
   python3-setuptools,
  Build-Depends-Indep:
   python3-oslo.config (>= 1:6.9.0),
   python3-oslo.log (>= 3.44.0),
   python3-oslo.utils (>= 3.41.0),
   python3-prometheus-client (>= 0.6.0),
   python3-oslotest (>= 1:3.2.0),
   python3-stestr (>= 2.0.0),
- pre/post inst/rm scripts?
  dh_python3 blocks
- init scripts?
  none
- systemd units?
  none
- dbus services?
  none
- setuid binaries?
  none
- binaries in PATH?
  oslo-metrics
- sudo fragments?
  none
- polkit files?
  none
- udev rules?
  none
- unit tests / autopkgtests?
  Very short, run during build
  The autopkgtests have a warning:
  UserWarning: Deprecate: ostestr command is deprecated now. Use stestr command instead.
- cron jobs?
  none
- Build logs:
  Clean

- Processes spawned?
  None
- Memory management?
  None
- File IO?
  None
- Logging?
  Looks fine
- Environment variable usage?
  None
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  The socket is stored in /var/tmp/metrics_collector.sock -- permissions
  look wrong.
- Use of networking?
  Unix domain socket, permissions look wrong.
- Use of WebKit?
  None
- Use of PolicyKit?
  None

- Any significant cppcheck results?
  None
- Any significant Coverity results?
  None (probably broken)
- Any significant shellcheck results?
  None
- Any significant bandit results?
  Unix domain socket in /var/tmp

python-oslo.metrics is pretty short and doesn't seem all that
complicated.

I'm starting to wonder if there's just plain too many OpenStack packages
these days; when I started this package, there wasn't a way to report bugs
in it, and my attempts to get help on irc lead nowhere. Once it was
possible to file bugs, my bug report didn't get much traction. (Almost
understandable, it's not hugely important.) But it does give me the
impression that the openstack security team may be spread too thin.

Security team ACK for promoting python-oslo.metrics to main. Ideally,
Corey's fix for the permissions would land in the archive before we ship
it.

__main__.py main(): os.chmod(socket_path, stat.S_IRWXU | stat.S_IRWXO) --
https://bugs.launchpad.net/ubuntu/+source/python-oslo.metrics/+bug/1945533