[Bug 1915445] Re: [MIR] python-aws-requests-auth package

[Christian Ehrhardt ]

[Summary]
MIR Team ack, but a few follow-ups are needed to complete.
This does need a security review.
List of specific binary packages to be promoted to main: python3-aws-requests-auth

Required TODOs:
- subscriber was suggested to be foundations, but I'd need foundations
  to say that they are ok with that.
  @Matt - I'm assigning to you so you can make that call. If you agree
  subscribe Foundations-bugs (or at least confirm that you will do so
  eventually) - once done please assign ubuntu-security who is the next
  team that has to look at this.

Recommended TODOs:
- the source has tests, but they don't run at build time.
  Fixing that should be some easy extra coverage.
  @Josh/@Matt - do you have someone who could look at this?

[Duplication]
There is no other package in main providing the same functionality.
python3-awsauth comes close, but is not in main, and limited to just S3.


[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning (none)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does not parse data formats
- does not deal with system authentication - not for the local system, but
  authentication it is. As Josh outlined this gladly is rather small, so
  it might be quick.

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs as autopkgtest (although superficial)
- The package has a team bug subscriber
- no translation present, but none needed for this case (user visible)?
- no new python2 dependency
- Python package that is using dh_python

Problems:
- does not have a test suite that runs at build time
  There would be these:
  ./aws_requests_auth/tests/test_boto_utils.py
  ./aws_requests_auth/tests/test_aws_auth.py
  Which for some reason are not discovered on python3.9 -m unittest discover -v
  at build time, fixing that up would help to get this more stable.


[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is slow but ok (not much movement)
- Debian/Ubuntu update history is slow but ok
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using


[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

** Changed in: python-aws-requests-auth (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => Matthieu Clemenceau (mclemenceau)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1915445

Title:
  [MIR] python-aws-requests-auth package

Status in python-aws-requests-auth package in Ubuntu:
  New

Bug description:
  [Availability]
  python-aws-requests-auth was introduced in Bionic as a sync from Debian and carries no patches. It only depends on packages provided in main (python and python-requests). The package builds an architecture-independent package (all).

  [Rationale]
  This package is to be included in AWS cloud images the public cloud team builds going back to Bionic. As cloud images are to ship only packages from main this request is to see that happen.

  [Security]
  As there is network communication to authenticate this warrants a security review. The good news is the entire package is a couple of hundred lines of python.

  [Quality assurance]
  There are currently 0 open bug reports (excluding this one) about the package in Ubuntu or Debian.

  [Dependencies]
  python and python-requests, both in main already

  [Standards compliance]
  $ lintian python-aws-requests-auth_0.4.3-1.dsc
  W: python-aws-requests-auth source: newer-standards-version 4.5.1 (current is 4.5.0)

  [Maintenance]
  Foundations team

  [Background information]
  This package allows you to authenticate to AWS with Amazon's signature version 4 signing process with the python requests library.

  Upstream:
  https://github.com/davidmuller/aws-requests-auth
  Launchpad page:
  https://launchpad.net/ubuntu/+source/python-aws-requests-auth
  Ubuntu bugs:
  https://bugs.launchpad.net/ubuntu/+source/python-aws-requests-auth
  Debian Package Tracker:
  https://tracker.debian.org/pkg/python-aws-requests-auth
  Debian bugs:
  https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=python-aws-requests-auth

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-aws-requests-auth/+bug/1915445/+subscriptions