Ubuntu
python-secretstorage package

  1. Bionic (18.04)
  2. Bug #2022372
  3. Comment #3

Comment 3 for bug 2022372

Revision history for this message
Mauricio Faria de Oliveira (mfo) wrote :

Hi Heather,

Thanks for the bug report with detailed tracks for releases and debdiff!

Tracks:

I think tracks that don't need the fix should be in 'Invalid' and not
"Won't Fix", since it's not like they had to be fixed but will not.

Impact:

Apparently if your reorder these lines it'd be clearer?

from

1) A method from cryptographic_utils was deprecated and replaced.
2) We are cherry-picking ... to address the unnecessary logging...
3) It also deprecates the usage ...

to

1) A method from cryptographic_utils was deprecated and replaced.
3) It also deprecates the usage ...
2) We are cherry-picking ... to address the unnecessary logging...

since 2 looks like the solution to the problem, and 3 is symptoms.

Also, it is important to highlight the need for the py3-crypto from
cloud archive to reproduce the problem in the Impact session.
(It's currently low profile in the middle of a long sentence in
Test Plan).

Where Problems Could Occur:

I'm not sure I followed why exactly the Build-Depends: are related
since the python code is loaded at runtime (so Depends: are used),
if you could clarify please.

> The impact is low as this fixes a deprecated 3rd party library.

I guess it fixes the _usage_ of a deprecated method from other lib?

It'd be nice if we could confirm that the new code (int.from_bytes)
is not only available in python-cryptography in the ubuntu archive
(old version, not the new version in UCA), but also and does not
have bugs that need additional fixes from py-crypto upstream.

(since we'd be switching implementations, let's make sure the new
implementation is equivalent and/or has all fixes needed).

...

Debdiffs:

- changelog: needs LP: #number, and (nitpicking) further indent '-'
  under '*' is usual (not strictly required)

- dep3:
- Origin: typo in "Origin, upstream: <url>" ("Origin: upstream, <url>")
- Origin: URL is OK, but prefer shorter/commit "https://github.com/mitya57/secretstorage/commit/<id>"
  (we can get to the PR from the commit message or the LP bug number)
- Bug-Ubuntu: URL is OK, but prefer shorter "https://bugs.launchpad.net/bugs/<number>"

Thanks!