[MIR] python-sqlalchemy-utils

Bug #1543641 reported by Corey Bryant
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-sqlalchemy-utils (Ubuntu)
Undecided
Unassigned

Bug Description

[MIR] python-sqlalchemy-utils

[Availability]
Currently in universe.

[Rationale]
python-sqlalchemy-utils is a dependency of python-taskflow which is a dependency of several OpenStack packages.

[Security]
No security history.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

[Dependencies]
All are in main.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
Simple python package that the OpenStack Team will take care of.

[Background]
This package provides various utility functions, new data types and helpers for SQLAlchemy.

Revision history for this message
Michael Terry (mterry) wrote :

- Needs a team bug subscriber.
- It doesn't even try to run tests under python3, but it should.
- It tries to run tests under python2, but doesn't actually do so (runs zero tests, but there are plenty in tests/).

Changed in python-sqlalchemy-utils (Ubuntu):
status: New → Incomplete
Revision history for this message
Corey Bryant (corey.bryant) wrote :

I'm going to abandon this MIR for now and instead patch taskflow to use a locally defined Json type instead of using the one from sqlalchemy-utils.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for python-sqlalchemy-utils (Ubuntu) because there has been no activity for 60 days.]

Changed in python-sqlalchemy-utils (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

I'm working on enabling the unit and functional tests for sqlalchemy-utils with autopkgtests to allow us to progress this MIR.

Changed in python-sqlalchemy-utils (Ubuntu):
status: Expired → In Progress
status: In Progress → New
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Team bug subscriber added to python-sqlalchemy-utils.

Revision history for this message
James Page (james-page) wrote :
Download full text (3.4 KiB)

[Summary]
SQLAlchemy-Utils extends SQLAlchemy with various new data types and helpers.

The new data types include JSON and Encrypted types.

SQLAlchemy provides an Object-Relation Mapping python library.

This does need a security review, so assigning ubuntu-security.

MIR team approval for inclusion in main (pending security review).

Actions:
  python3-intervals required for latest package build - ubuntu-archive
  Update to latest point release (0.36.8) - ubuntu-openstack
  Submit packaging changes back to Debian - ubuntu-openstack

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
 - no other Dependencies to MIR due to this
 - no -dev/-debug/-doc packages that need exclusion

TODO: Problems:

[Embedded sources and static linking]
OK:
 - no embedded source present
 - no static linking

TODO: Problems:

[Security]
OK:
 - history of CVEs does not look concerning
   No history of CVE's

 - does not run a daemon as root
 - does not use webkit1,2
 - does not use lib*v8 directly
 - does not parse data formats
   Lots of data format handling including encryption -
   passing to security team for review.

 - does not open a port
 - does not process arbitrary web content
 - does not use centralized online accounts
 - does not integrate arbitrary javascript into the desktop
 - does not deal with system authentication (e.g. pam), etc)

[Common blockers]
OK:
 - does not FTBFS currently
   Current upload in Ubuntu blocked due to missing BD (python3-intervals).
   Checking the source this is a build time only requirement and the
   package is in the NEW queue for archive-admin review.

 - does have a test suite that runs at build time
   - test suite fails will fail the build upon error.
   No - package tests are run as autopkgtest due to the requirement
   for MySQL and PostgreSQL databases for testing.

 - does have a test suite that runs as autopkgtest
   Yes - the latest upload has autopkgtests.

 - The package has a team bug subscriber
   ubuntu-openstack

 - no translation present, but none needed for this case.
 - no new python2 dependency
 - Python package that is using dh_python

[Packaging red flags]
OK:
 - Ubuntu does carry a delta, but it is reasonable and maintenance under control
   Recent delta to add autopkgtests - this should be submitted back
   to Debian for consideration for inclusion by the Debian
   package maintainer.

 - symbols tracking not applicable for this kind of code.
 - d/watch is present and looks ok
 - Upstream update history is good
 - Debian/Ubuntu update history is good
 - the current release is packaged
   No - its a couple of point releases behind (0.36.8)
   This is not a blocker for main inclusion as Ubuntu is
   the same major version.

 - promoting this does not seem to cause issues for MOTUs that so far
   maintained the package
 - no massive Lintian warnings
 - d/rules is rather clean
 - not using Built-Using

Recommendations:
  Update to latest point release (0.36.8)
  Submit packaging changes back to Debian.

[Upstream red flags]
OK:
 - no Errors/warnings during the build
 - no incautious use of malloc/sprintf (as far as I can check ...

Read more...

Changed in python-sqlalchemy-utils (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Avital Ostromich (avital) wrote :

I reviewed python-sqlalchemy-utils 0.36.1-0ubuntu2 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-sqlalchemy-utils is a python package providing additional data types and utility functions for SQLAlchemy.

- CVE History:
  - No history of CVEs
- No security sensitive Build-Depends
  - debhelper-compat (= 12), dh-python, openstack-pkg-tools, python3-all, python3-setuptools, python3-sphinx
- pre/post inst/rm scripts
  - Populated automatically by python debhelper
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - Unit tests passing, run during build
  - Sizable and organized test suite
  - Autopkgtests minimal, although also passing
- No cron jobs
- Build logs
  - No significant build errors or warnings
  - Some autodoc warnings

- No processes spawned
- Memory management is n/a
- No notable file IO
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- No use of temp files
- No of networking
- No use of WebKit
- No use of PolicyKit

- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results
- No significant bandit results

Produced some autodoc tracebacks during build but nothing egregious, code is well documented and backed by a sizable test suite.

Security team ACK for promoting python-sqlalchemy-utils to main.

Changed in python-sqlalchemy-utils (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
James Page (james-page) wrote :

MIR and Security Team +1 on this package for promotion to main - Marking Fix Committed

Changed in python-sqlalchemy-utils (Ubuntu):
status: New → Fix Committed
milestone: none → ubuntu-20.10
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
python-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy: universe/misc -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy amd64: universe/doc/optional/100% -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy arm64: universe/doc/optional/100% -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy armhf: universe/doc/optional/100% -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy i386: universe/doc/optional/100% -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy ppc64el: universe/doc/optional/100% -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy riscv64: universe/doc/optional/100% -> main
python-sqlalchemy-utils-doc 0.36.1-0ubuntu2 in groovy s390x: universe/doc/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy amd64: universe/python/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy arm64: universe/python/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy armhf: universe/python/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy i386: universe/python/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy ppc64el: universe/python/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy riscv64: universe/python/optional/100% -> main
python3-sqlalchemy-utils 0.36.1-0ubuntu2 in groovy s390x: universe/python/optional/100% -> main
15 publications overridden.

Changed in python-sqlalchemy-utils (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers