Comment 5 for bug 2003570

I reviewed rich 13.2.0-2 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

> Rich is a Python library for rich text and beautiful formatting in the terminal.

- CVE History:
  - none
  - upstream bug tracker is fairly well maintained
    - no security concerns
    - except https://github.com/Textualize/rich/issues/1903
- Build-Depends?
  - lunar main
    - debhelper-compat (debhelper)
    - python3-all (python3-defaults)
    - python3-setuptools (setuptools)
  - lunar universe
    - flit
    - pybuild-plugin-pyproject
    - python3-pytest (dh-python)
    - python3-markdown-it (active MIR)
    - python3-mypy (mypy)
    - python3-poetry-core (poetry)
    - python3-pygments
    - python3-pytest (pytest)
    - python3-typing-extensions (active MIR)
- pre/post inst/rm scripts?
  - yes, standard prerm and postinst generated by dh-python
  - dh-python is required, but missing from d/controls !?
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - has build tests and autopkgtests
  - recent lunar autopkgtests result in "neutral"
    - likely fine--see mdurl MIR notes
- cron jobs?
  - none
- Build logs:
  - nothing concerning

- Processes spawned?
  - only in helper tool, see bandit reports
- Memory management?
  - standard python
- File IO?
  - file IO exceptions uncaught
  - progress.py overloads IO open() for accounting
- Logging?
  - responds to interactive console input being invalid
  - raises errors, prints warnings, etc. Not the most consistent, but reasonable for _trusted_ input
  - logging.py handles logs _being parsed by_ rich
- Environment variable usage?
  - console.py makes a copy of all env variables
    - Console._environ
    - only a few specific env variables actually used
  - diagnose.py prints a limited set of env variables
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - trivial
    - rand 1:1e6 chance of link_id collision
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - not significant
  - reported https://github.com/Textualize/rich/issues/2813
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - not too significant
  - several cases of Try, Except, Continue
  - ./tools/make_terminal_widths.py contains subprocess shell with runtime dependency on black

Rich has a large userbase with many downstream projects.

This MIR does not apply to kinetic, which requires python3-commonmark instead of markdown-it-py.

Rich is a relatively heavy and inefficient library, but has pretty results. Use of rich in netplan's is isolated to netplan's status (and status is not called by other netplan components). Therefore, Security is not too concerned about adding this.

./tools/ can be removed to avoid runtime dependency on black. The directory ./benchmarks/results/ can also be removed to save bandwidth. Appears to builds fine without either. Image file sizes are huge.

This package contains a prerm and postinst script generated by dh-python, but dh-python is not listed as a Build-Depends in d/control. This must be resolved before promoting to main.

Security team ACK for promoting rich to main, after (1) dh-python is added to d/control and (2) and removing ./tools/ is considered.