[MIR] python-xmlschema, elementpath, importlib-resources

We assigned James as MIR reviewer as he usually takes yours, please let us know if that does not work fro any reason and in that case unassign him please.

>> importlib-resources <<

[Summary]
MIR team +1 for promotion to main

Notes:
autopackage test would be a nice improvement but not a blocking requirement.

[Duplication]
This module is part of the core Python library from 3.9+

This package is simply to provide a backport for older python
versions (the main use-case for which is the cloud archive
for OpenStack).

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Warnings:
- does not have a test suite that runs as autopkgtest

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

>> elementpath <<

[Summary]
MIR team +1 for promotion to main

Notes:
autopackage test would be a nice improvement but not a blocking requirement.

[Duplication]
OK:
- No duplication with other packages in main.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Warnings:
- does not have a test suite that runs as autopkgtest

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

>> python-xmlschema <<

[Summary]
MIR team +1 for promotion to main pending update to latest updates release and review from security team.

Notes:
autopackage test would be a nice improvement but not a blocking requirement

TODO:
Update to latest upstream release.
Security team review

[Duplication]
OK:
- No duplication with other packages in main.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

TODO:
- does parse data formats

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Warnings:
- does not have a test suite that runs as autopkgtest

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is OK
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Usinga

TODO:
- the current release is not packaged

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Override component to main
elementpath 2.3.0-1 in jammy: universe/misc -> main
python3-elementpath 2.3.0-1 in jammy amd64: universe/python/optional/100% -> main
python3-elementpath 2.3.0-1 in jammy arm64: universe/python/optional/100% -> main
python3-elementpath 2.3.0-1 in jammy armhf: universe/python/optional/100% -> main
python3-elementpath 2.3.0-1 in jammy i386: universe/python/optional/100% -> main
python3-elementpath 2.3.0-1 in jammy ppc64el: universe/python/optional/100% -> main
python3-elementpath 2.3.0-1 in jammy riscv64: universe/python/optional/100% -> main
python3-elementpath 2.3.0-1 in jammy s390x: universe/python/optional/100% -> main
8 publications overridden.

Override component to main
importlib-resources 5.1.2-1 in jammy: universe/misc -> main
python3-importlib-resources 5.1.2-1 in jammy amd64: universe/python/optional/100% -> main
python3-importlib-resources 5.1.2-1 in jammy arm64: universe/python/optional/100% -> main
python3-importlib-resources 5.1.2-1 in jammy armhf: universe/python/optional/100% -> main
python3-importlib-resources 5.1.2-1 in jammy i386: universe/python/optional/100% -> main
python3-importlib-resources 5.1.2-1 in jammy ppc64el: universe/python/optional/100% -> main
python3-importlib-resources 5.1.2-1 in jammy riscv64: universe/python/optional/100% -> main
python3-importlib-resources 5.1.2-1 in jammy s390x: universe/python/optional/100% -> main
8 publications overridden.

Hello,

Does the security team think this will get reviewed in time for Jammy?

Thanks,
Corey

I'm not entirely sure when the actual real for real really deadline is, but if it's monday, probably not.

Sorry.

Hi Seth, I'm not sure when the deadline is either but I asked in #ubuntu-release. I'll let you know if I hear back.

Seth, I think we have time still. Do you think this gives us enough time for Jammy?

sil2100> Łukasz Zemczak coreycb: the earlier the better. As seb128 mentioned, we don't really have any hard freezes for these (besides final freeze of course), but the 'perfect goal' would be to get as much in for the beta this week as possible, so that if it's to be pulled in, it's tested as part of the Beta

I reviewed python-xmlschema 1.4.2-1 as checked into jammy. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.

python-xmlschema is a python package which provides XML schema support to
allow XML schemas to be parsed/loaded and queried etc. It also allow XML
documents to be validated against XML schema etc.

- No CVE History
- Interesting Build-Depends
  - python3-lxml, python3-elementpath
- pre/post inst/rm scripts
  - Standard auto-generated ones from dh_python3 to compile python code on
    installation / delete compiled code on uninstall
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 3 binaries in PATH
  - utilities to translate to/from XML and to validate XML schemas
  - -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-json2xml
  - -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-validate
  - -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-xml2json
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
  - unit tests run during build via dh_auto_test
  - unit tests also run as autopkgtests
- No cron jobs
- Build logs look clean

- No processes spawned
- Memory management is not relevant as this is python
- File IO
  - As a library, will open files at paths specified by the caller of the
    library
  - Since documents can refer to remote resources, includes a sandbox mode
    so that remote resources will not be fetched / validated for local
    documents and vice-versa, but by default will fetch all resources
- Logging is careful from what I can see
- No apparent environment variable usage
- No apparent use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files (other than during tests)
- Use of networking to load remote resources via URIs
- No use of WebKit
- No use of PolicyKit

- No significant cppcheck results
- No significant Coverity results (a bunch of false positives)
- No significant shellcheck results
- No significant bandit results

The upstream project looks quite healthy - only 5 open github issues and
247 closed ones, and the oldest open issue is from 3rd February this year.

I do note that debian recently updated to 1.10.0 - should this be synced to
jammy first? Is there a reason why this hasn't come already via the usual
Debian sync process?

Security team ACK for promoting python-xmlschema to main.

Thanks, summary.

- MIR ack present
- Security Ack present

=> What is still left open is the required TODO from the MIR review as identified by James "Update to latest upstream release."

That would currently be 1.10 which also is in Debian testing/unstable
python-xmlschema | 1.4.2-1 | stable | source
python-xmlschema | 1.10.0-1 | testing | source
python-xmlschema | 1.10.0-1 | unstable | source
python-xmlschema | 1.4.2-1 | impish/universe | source
python-xmlschema | 1.4.2-1 | jammy/universe | source

uscan: => Newer package available from
      https://github.com/sissaschool/xmlschema/archive/refs/tags/v1.10.0.tar.gz

Publishing history indicates there was no major update since January 2021 / Hirsute, so this request is still up.

https://launchpad.net/ubuntu/+source/python-xmlschema/+publishinghistory

Marking incomplete until updated

New version of python3-xmlschema is now in jammy-proposed.

It even migrated
 python-xmlschema | 1.10.0-1 | jammy/universe | source

This was the last missing bit (thanks Corey!).

Furthmore AFAICS it is already in
https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.html

Blocking the transition of
 python3-pysaml2 | 6.1.0-0ubuntu2 | jammy | all
 python3-pysaml2 | 7.1.0-0ubuntu2 | jammy-proposed | all

That is otherwise ok to go:
python-pysaml2 (6.1.0-0ubuntu2 to 7.1.0-0ubuntu2)
  Migration status for python-pysaml2 (6.1.0-0ubuntu2 to 7.1.0-0ubuntu2): BLOCKED:
  Rejected/violates migration policy/introduces a regression
  Issues preventing migration:
    python3-pysaml2/amd64 in main cannot depend on python3-xmlschema in universe
    Impossible Depends: python-pysaml2 -> python3-xmlschema/1.10.0-1/amd64
  Additional info:
  5 days old

So it is ready for promotion.
And doing so does not change a feature, but it would allow python3-pysaml2 to migrate clearing excuses a bit. Since it isn't on any image I think it can be promoted now (I'll need to ask to be sure I'm not missing a secret roadblock).

After some extra checks (The -doc package will be auto-included, but has only deps to main and thereby is no problem) and confirming with Lukasz (thanks) that there is no beta-freeze-problem making this harder this is ready.

None of this is left in -proposed, so only changing in -universe.

Override component to main
python-xmlschema 1.10.0-1 in jammy: universe/misc -> main
python-xmlschema-doc 1.10.0-1 in jammy amd64: universe/doc/optional/100% -> main
python-xmlschema-doc 1.10.0-1 in jammy arm64: universe/doc/optional/100% -> main
python-xmlschema-doc 1.10.0-1 in jammy armhf: universe/doc/optional/100% -> main
python-xmlschema-doc 1.10.0-1 in jammy i386: universe/doc/optional/100% -> main
python-xmlschema-doc 1.10.0-1 in jammy ppc64el: universe/doc/optional/100% -> main
python-xmlschema-doc 1.10.0-1 in jammy riscv64: universe/doc/optional/100% -> main
python-xmlschema-doc 1.10.0-1 in jammy s390x: universe/doc/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy amd64: universe/python/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy arm64: universe/python/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy armhf: universe/python/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy i386: universe/python/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy ppc64el: universe/python/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy riscv64: universe/python/optional/100% -> main
python3-xmlschema 1.10.0-1 in jammy s390x: universe/python/optional/100% -> main
Override [y|N]? y
15 publications overridden.