Bug #2046160 “[MIR] python3-pyasyncore” : Bugs : python-pyasyncore package : Ubuntu

Christian Ehrhardt  (paelzer) on 2024-01-02

Changed in python-pyasyncore (Ubuntu):
assignee:	nobody → Christian Ehrhardt  (paelzer)

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2024-01-03:

#1

Download full text (5.3 KiB)

Review for Source Package: python-pyasyncore

[Summary]
MIR team ACK

This does not need a security review.
On one hand it doesn't do much that creates exposure, but on the other hand one
might rightfully say - but in the past code using it was affected e.g. in
CVE-2010-3492. But then this was part of python3 up to 3.12 and as part of that
reviewed and accepted for years - the code is still the very same and therefore
no re-review needed IMHO.

List of specific binary packages to be promoted to main: python3-pyasyncore
Specific binary packages built, but NOT to be promoted to main: n/a

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
And I mean "exactly the same" asyncio is similar and recommended, but this
is all about making the change a little bit softer and not as quick.

- A team (openstack) is committed to own long term maintenance of this package.

- The rationale given in the report seems valid and useful for Ubuntu
  To be clear, not in a a sense like "yay everone use it please" but as in
  "we understand we can't cut ties as fast as upstream does"
  It is a bit weird though and I want to know if that means we'll carry it
  forever - gladly just when I wanted to write this I found that you already
  linked bugs and discussions about python3-taskflow getting rid of it in the
  future - in that scope I tihnk it is ok to keep it for a while.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (a few, but very long time no new
  ones)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features => being only a lib it can't decide what to do as it does
  not know its scenario

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python

Problems:
- does not have a test suite that runs at build time
- does not have a non-trivial test suite that runs as autopkgtest

AFAICS in t...

Review for Source Package: python-pyasyncore

[Summary]
MIR team ACK

This does not need a security review.
On one hand it doesn't do much that creates exposure, but on the other hand one
might rightfully say - but in the past code using it was affected e.g. in
CVE-2010-3492. But then this was part of python3 up to 3.12 and as part of that
reviewed and accepted for years - the code is still the very same and therefore
no re-review needed IMHO.

List of specific binary packages to be promoted to main: python3-pyasyncore
Specific binary packages built, but NOT to be promoted to main: n/a

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
  And I mean "exactly the same" asyncio is similar and recommended, but this
  is all about making the change a little bit softer and not as quick.

- A team (openstack) is committed to own long term maintenance of this package.

- The rationale given in the report seems valid and useful for Ubuntu
  To be clear, not in a a sense like "yay everone use it please" but as in
  "we understand we can't cut ties as fast as upstream does"
  It is a bit weird though and I want to know if that means we'll carry it
  forever - gladly just when I wanted to write this I found that you already
  linked bugs and discussions about python3-taskflow getting rid of it in the
  future - in that scope I tihnk it is ok to keep it for a while.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (a few, but very long time no new
  ones)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features => being only a lib it can't decide what to do as it does
  not know its scenario

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python

Problems:
- does not have a test suite that runs at build time
- does not have a non-trivial test suite that runs as autopkgtest

AFAICS in the context this lives (always was in main as part of python,
just extending lieftime a little bit) this is mostly ok. There is one weak side
to the story that I'd ask you to improve before promoting it and that is
testing.
You already have the benfit of not needing anything special like HW that blocks
you. And while I understand that this is meant to stay as-is by design, who
knows if e.g. python 3.13, 3.14, ... does not break this. Due to that I'm not
too happy about
  override_dh_auto_test:
     echo "Do nothing..."
Despite the "just keep the old around" and OTOH just being 640ish lines
of code, running a few tests won't hurt. There is neither build time tests
nore autopkgtests - since it is meant to stay as-is I'd expect that build time
won't help much anyway.
But an autopkgtest on the mentione python change would be interesting.

But then I looked at all those dependencies [1], they all depend on python3:any
or similar and hence will have their autopkgtest executed when python changes.
Due to that indirectly python-pyasyncore will be tested as well.

This is 24 autopkgtest runs that will trigger at a python update. Not all are
great, but overall that is decent coverage fort what this is.
Hence despite my first feeling, not strict request to add tests.

[1]: https://codesearch.debian.net/search?q=import.*asyncore&literal=0

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok
- Upstream update history is slow, but then it is meant to not change
- Debian/Ubuntu update history is slow as well
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python only)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case (dev only)

Problems: None

Changed in python-pyasyncore (Ubuntu):
status:	New → Fix Committed

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2024-01-03:

#2

It shows in mismatches so Fix Committed for now

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2024-01-03:

#3

Override component to main
python-pyasyncore 1.0.2-2 in noble: universe/python -> main
python3-pyasyncore 1.0.2-2 in noble amd64: universe/python/optional/100% -> main
python3-pyasyncore 1.0.2-2 in noble arm64: universe/python/optional/100% -> main
python3-pyasyncore 1.0.2-2 in noble armhf: universe/python/optional/100% -> main
python3-pyasyncore 1.0.2-2 in noble i386: universe/python/optional/100% -> main
python3-pyasyncore 1.0.2-2 in noble ppc64el: universe/python/optional/100% -> main
python3-pyasyncore 1.0.2-2 in noble riscv64: universe/python/optional/100% -> main
python3-pyasyncore 1.0.2-2 in noble s390x: universe/python/optional/100% -> main
Override [y|N]? y
8 publications overridden.

Thereby this should resolve and then continuously hold it in main:

python-taskflow (5.4.0-0ubuntu1 to 5.4.0-0ubuntu3)
Migration status for python-taskflow (5.4.0-0ubuntu1 to 5.4.0-0ubuntu3): BLOCKED: Rejected/violates migration policy/introduces a regression
Issues preventing migration:
python3-taskflow/amd64 in main cannot depend on python3-pyasyncore in universe
Impossible Depends: python-taskflow -> python3-pyasyncore/1.0.2-2/amd64
Additional info:
20 days old

Changed in python-pyasyncore (Ubuntu):
status:	Fix Committed → Fix Released
assignee:	Christian Ehrhardt  (paelzer) → nobody

Ubuntu
python-pyasyncore package

[MIR] python3-pyasyncore

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntupython-pyasyncore package

[MIR] python3-pyasyncore

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
python-pyasyncore package