[MIR] python-uritemplate as dependency of mailman3

Bug #1820223 reported by Christian Ehrhardt  on 2019-03-15
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-uritemplate (Ubuntu)
Undecided
Unassigned

Bug Description

[Availability]
The package is already universe for quite a while and build/works fine so far.
It is for example already used for https://lists.canonical.com/mailman3/postorius/lists/
OTOH it is a library that can/could be used for much more than just the mailman3 stack.

It builds on amd64 only (arch:all)

This package builds python2 and python3 binaries, but the transition to mailman3 will only pull in the python3 binaries.

[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:

Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.

FYI - there was a former MIR discussion (aborted since the reason to promote back then was made a suggests instead) at bug 1540431

[Security]

No known CVEs found.

[Quality assurance]

As part of the mailman3 stacks as of now (Disco) this installs fine and works fine.
On itself it is useful to (many) other dependencies and does not need a post install configuration on its own.

The package does not ask debconf questions.

Zero known Ubuntu or Debian bugs.
Upstream has 5 open and 8 closed issues - none seems fatal to be concerned.

The package seems to get semi-regular updates by upstream and Debian.
We have Delta since 2016 and should actually feed that to Debian and become a sync again.
Task added to our overview to capture that.
Upstream seems hard to find it is no
 https://github.com/python-hyper/uritemplate/releases
as you might think but instead
 https://github.com/uri-templates/uritemplate-py/
Furthermore Upstream has no new releases on either of them for quite a while.

No exotic HW involved.

The package utilizes build time self tests.

d/watch is set up and ok.

No Lintian warning except newer Standards/Compat versions and no HTTPS links uses or GPG checks - nothing severe.
There are some warnigns on the copyright file which need to be re-checked in detail on the MIR review.

The package does not rely on demoted or obsolete packages.
py2 packages in this src, but as mentioned we won't pull them into main.
No new gt2k dependencies

[UI standards]

This is a low level library without (a lot) of user visible strings - no translations (needed).
No End-user applications that needs a standard conformant desktop file.

[Dependencies]

Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 to get an overview.

[Standards compliance]
The package meets the FHS and Debian Policy standards.
The packaging itself is very straight forward and uses dh_* as much as possible - the d/rules fits on one screen.

[Maintenance]

The Server team will subscribe for the package for maintenance, but in
general it seems low on updates and currently is a sync from Debian.

[Background]
The package description explains the general purpose and context of the package well.

description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[Duplication]
No duplication of that functionality in the Archive in general or main in particular.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package does not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- processes arbitrary web content
- parse data formats
- deals with system authentication
- uses centralized online accounts

[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- does utilize build time self tests

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present but ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder

[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

Of some concern is, that upstream considers itself discontinued https://github.com/uri-templates/uritemplate-py/
It links to https://github.com/python-hyper/uritemplate now which has newer releases.
Since no alternative is packaged yet that is no show stopper, but it should be evaluated.

[Summary]
Ack from the MIR-Teams POV, as outlined above a security review is not needed in this case.
Note: As outlined above I'd ask the server Team to take a look at how doable (or not) refreshing the package with a shift to the new upstream repo would be.
(A task has been added to the teams list tracking mailman3 activities)

Changed in python-uritemplate (Ubuntu):
status: New → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After evaluating dependencies, required further changes and mostly maintainability for security and packaging it was decided there are too many concerns - not about any single package in particular, but the overall Mailman3 stack - about the ability to maintain and monitor it as well as we need it for support in main.

We have closed the primary LP bug already, the MIRs that are already approved - like this one - will stay that way, but we will make no seed change to pull things in for now. Yet if other needs come up for those they have a prepared MIR already.
Other bugs which are not yet completed in terms of review will be closed as Won't Fix.

Even thou it ended being aborted, I think that is a valid outcome of the MIR evaluations. Never the less I want to thank everybody involved for all the work spent in what was nearly a year working through these MIRs.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers