Ubuntu
zope.schema package

Bug #1820238
Comment #1

Comment 1 for bug 1820238

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2019-03-19: Re: [MIR] zope.i18nmessageid as dependency of mailman3

[Duplication]
No duplication for this functionality in main at the moment.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not staticylly link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE history for this zope component.
But there is CVE for zope in general, so maybe that package was just never reviewed by anyone.

It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication

It does due to its integration into zope to some extend it indirectly:
- processes arbitrary web content
- parse data formats

Therefore to err on the side of caution I mark it for security review.

[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilized (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
- I was concerned if the ZPL license would be ok (as I haven't touched it ever),
but zope.interface already is in main with the same license so that must be ok.

Not perfect but ok:
- past updates to the package were sporadic (mostly as-is since intial packaging
- due to that the most current release is not packaged (only a minor upgrade)
- The server team already took a task to check viability to update to the newest version on pypi

[Upstream red flags]
- no supicious errors dueting build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above due to its integration into the zope web stack
I'll assign to security for review.

[Duplication]
No duplication for this functionality in main at the moment.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not staticylly link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE history for this zope component.
But there is CVE for zope in general, so maybe that package was just never reviewed by anyone.

It does due to its integration into zope to some extend it indirectly:
- processes arbitrary web content
- parse data formats

Therefore to err on the side of caution  I mark it for security review.

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
- I was concerned if the ZPL license would be ok (as I haven't touched it ever),
  but zope.interface already is in main with the same license so that must be ok.

[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above due to its integration into the zope web stack
I'll assign to security for review.

Ubuntuzope.schema package

Comment 1 for bug 1820238

Ubuntu
zope.schema package