[Bug 1915445] Re: [MIR] python-aws-requests-auth package
Avital Ostromich
1915445 at bugs.launchpad.net
Wed Jun 16 23:54:20 UTC 2021
I reviewed python-aws-requests-auth 0.4.3-2 as checked into impish. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
python-aws-requests-auth is a python package for manually signing AWS
requests with additional functionality to retrieve AWS credentials via
boto.
- CVE History:
- No history of CVEs
- Build-Depends?
- debhelper-compat (= 13), dh-python, python3-all, python3-botocore, python3-mock, python3-setuptools
- pre/post inst/rm scripts?
- Populated automatically by python debhelper
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- Unit tests passing
- Unit tests run during build
- Well-documented test suite
- No cron jobs
- Build logs:
- No significant build errors or warnings
- No lintian failures
- No processes spawned
- Memory management N/A
- No file IO
- No logging
- No environment variables
- No use of privileged functions
- Use of cryptography
- Uses python HMAC module to sign the requests, in accordance with the official AWS examples.
- No use of temp files
- Use of networking
- Retrieves AWS credentials with boto module in a non-core/convenience function.
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- No significant Coverity results
- No significant shellcheck results
- No significant bandit results
python-aws-requests-auth is not currently actively maintained upstream
(https://github.com/DavidMuller/aws-requests-
auth/pull/52#issuecomment-583591776), the latest PR from Feb 2021 has
not been responded to. That said, the code base is small and neatly
documented, heavily drawing from the existing AWS example code for it's
functionality.
Security team ACK for promoting python-aws-requests-auth to main.
** Changed in: python-aws-requests-auth (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1915445
Title:
[MIR] python-aws-requests-auth package
Status in python-aws-requests-auth package in Ubuntu:
New
Bug description:
[Availability]
python-aws-requests-auth was introduced in Bionic as a sync from Debian and carries no patches. It only depends on packages provided in main (python and python-requests). The package builds an architecture-independent package (all).
[Rationale]
This package is to be included in AWS cloud images the public cloud team builds going back to Bionic. As cloud images are to ship only packages from main this request is to see that happen.
[Security]
As there is network communication to authenticate this warrants a security review. The good news is the entire package is a couple of hundred lines of python.
[Quality assurance]
There are currently 0 open bug reports (excluding this one) about the package in Ubuntu or Debian.
[Dependencies]
python and python-requests, both in main already
[Standards compliance]
$ lintian python-aws-requests-auth_0.4.3-1.dsc
W: python-aws-requests-auth source: newer-standards-version 4.5.1 (current is 4.5.0)
[Maintenance]
Foundations team
[Background information]
This package allows you to authenticate to AWS with Amazon's signature version 4 signing process with the python requests library.
Upstream:
https://github.com/davidmuller/aws-requests-auth
Launchpad page:
https://launchpad.net/ubuntu/+source/python-aws-requests-auth
Ubuntu bugs:
https://bugs.launchpad.net/ubuntu/+source/python-aws-requests-auth
Debian Package Tracker:
https://tracker.debian.org/pkg/python-aws-requests-auth
Debian bugs:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=python-aws-requests-auth
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-aws-requests-auth/+bug/1915445/+subscriptions
More information about the foundations-bugs
mailing list