Ubuntu
python-oslo.metrics package

  1. Bug #1943143
  2. Comment #8

Comment 8 for bug 1943143

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed python-prometheus-client 0.9.0-1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-prometheus-client is a middleware layer to provide metrics for
openstack software. (It could probably be asked to work outside the
openstack ecosystem.)

- CVE History:
  None
- Build-Depends: debhelper-compat (= 13),
  Build-Depends-Indep: dh-python,
                     python3-all,
                     python3-decorator (>= 4.0.10),
                     python3-pytest,
                     python3-setuptools,
- pre/post inst/rm scripts?
  automatically added by dh_python3 -- (funny trailing space in there)
- init scripts?
  None
- systemd units?
  None
- dbus services?
  None
- setuid binaries?
  None
- binaries in PATH?
  None
- sudo fragments?
  None
- polkit files?
  None
- udev rules?
  None
- unit tests / autopkgtests?
  large selection of tests, run during build
- cron jobs?
  None
- Build logs:
  E: python-prometheus-client changes: bad-distribution-in-changes-file unstable
  (meh)

- Processes spawned?
  None
- Memory management?
  None
- File IO?
  I believe it's all under control of the application that embeds this
  middleware -- though this uses the 'prometheus_multiproc_dir'
  environment variable when constructing paths to open
- Logging?
  None
- Environment variable usage?
  'prometheus_multiproc_dir', 'HTTP_ACCEPT', 'QUERY_STRING' -- looked fine
- Use of privileged functions?
  None
- Use of cryptography / random number sources etc?
  None
- Use of temp files?
  Some -- though, in the same directory as the storage target, and
  'simple' constructed names. Not quite as good as mkstemp(3) but not
  blatantly out of line either.
- Use of networking?
  Yes, both as a server and as a client; both parts are under control of
  whichever program has embedded this toolkit. Probably the quality varies
  drastically between the start_http_server method vs start_wsgi_server
  method.
- Use of WebKit?
  None
- Use of PolicyKit?
  None

- Any significant cppcheck results?
  None
- Any significant Coverity results?
  Nothing substantial
- Any significant shellcheck results?
  None
- Any significant bandit results?
  Nothing substantial

This is very-generic middleware. Quite a lot of what it does will be
controlled by code elsewhere. So it's perhaps lacking checks / controls /
etc that feel like they should be here, but its inputs aren't entirely
wide open because code elsewhere should be doing something reasonable.

Security team ACK for promoting python-prometheus-client to main.