[Bug 1349119] Re: [MIR] new dependencies for twisted

[Seth Arnold]

I reviewed python-service-identity version 1.0.0-0ubuntu1 as checked into
utopic. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.

- python-service-identity provides RFC 6125 verification of dNSName,
  uniformResourceIdentifier, otherName types of subjectAltName extensions
  in x.509 certificates.
- Build-Depends: debhelper, dh-python, python-all, python-setuptools,
  python-openssl, python-pyasn1-modules, python-characteristic,
  python-pytest, python3-all-dev, python3-setuptools, python3-openssl,
  python3-pyasn1-modules, python3-characteristic, python3-pytest
- Uses OpenSSL
- Does not itself use networking
- Does not daemonize
- May run as a system user
- No maintainer scripts
- No initscripts
- No dbus services
- No setuid files
- No new binaries
- No sudo fragments
- No udev rules
- Good test suite -- but does not run during build
- No cron jobs
- Build logs clean

- No processes spawned
- No memory management
- No files written
- No logging
- No environment variables
- No privileged portions of code
- Extensive X.509 parsing
  Since the comparisons are made using python byte streams, I believe the
  classical nul character attack won't give incorrect results.
- Does not itself do networking
- No temporary files
- No webkit
- No javascript
- Clean pyflakes
- No PolicyKit

This package is relatively new and performs relatively complex operations;
however, the coding style is clear and concise, upstream has published
security contacts and intends to not break published APIs.

Please investigate why the tests report "Ran 0 tests in 0.000s". The tests
look extensive, we should make sure they run at build time.

Once the tests are addressed, security team ACK for promoting
python-service-identity to main.

Thanks


** Changed in: python-service-identity (Ubuntu)
     Assignee: Seth Arnold (seth-arnold) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-idna in Ubuntu.
https://bugs.launchpad.net/bugs/1349119

Title:
  [MIR] new dependencies for twisted

Status in “python-characteristic” package in Ubuntu:
  Fix Committed
Status in “python-idna” package in Ubuntu:
  Fix Committed
Status in “python-pyasn1-modules” package in Ubuntu:
  Fix Committed
Status in “python-service-identity” package in Ubuntu:
  New

Bug description:
  twisted has a new dependency, python-service-identity.
  python-service-identity depends itself on python-characteristic and python-pyasn1-modules.

  characteristic is a one file module, programming aid, was just
  packaged to Debian and Ubuntu. looks ok.

  python-pyasn1-modules is a collection of ASN.1 data structures, which
  is not yet in python-pyasn1.  no bug reports in Debian and Ubuntu.

  python-service-identity was just packaged, unsure if the security team
  wants to have a review.

  All three packages build python3 modules as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-characteristic/+bug/1349119/+subscriptions