[Bug 1108935] Re: [MIR] websockify, spice-html5

James Page james.page at ubuntu.com
Wed Apr 1 08:52:02 UTC 2020 

In response to Christian's list of TODO's in his review

To ensure a base level (requirement for the ack)
- set someone down a day installing that fo real
- use it with Openstack
- (try to) use it without openstack as well
- is it really providing what you want/need?
TODO => State on the bug the result of your testing!

I've tested both in the context of OpenStack, and standlone with
websockify and libvirt to validate that spice-html5 is function and
works as intended. There are some warning messages about unsupported
features but it works OK.  Its essential to use the virtio video adapter
option but I was able to login and control a default 20.04 cloud image
VM running under libvirt.

- check all the general Spice CVEs if any apply to this JS based code (might just not be tracked against spcie-html5 but apply)
TODO => State on the bug the result of your CVE check per CVE why they do not apply!

Rechecked general SPICE CVEs:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=spice

Unable to find any that relate to spice-html5.

I also searched for some of the 3rd party js files:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jsbn
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SHA-1

but was unable to find any related open CVE's

- update to 0.2.x
TODO => Then feel free to set it to "in progress" to reflect that it is approved.

Done and tested as part of this review.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1108935

Title:
  [MIR] websockify, spice-html5

Status in nova package in Ubuntu:
  Fix Released
Status in spice-html5 package in Ubuntu:
  Confirmed
Status in websockify package in Ubuntu:
  Fix Released

Bug description:
  > websockify

  Availability: Currently in universe

  Rationale: Dependency for nova console access

  Security: No security history.

  Quality Assurance: Package works out of the box with no prompting. There is no major bugs in Ubuntu and the is no major bugs in Debian.
  Unit tests are run for py2 and py3 as part of the package build.

  Standards Compliance: FHS and Debian Policy compliant.

  Maintenance: Simple python package that the Ubuntu OpenStack Team will
  take care of.

  Dependencies: All are in main

  > spice-html5

  Availability: Currently in universe

  Rationale: Dependency for nova console access

  Security: No security history.

  Quality Assurance: Package works out of the box with no prompting.
  There is no major bugs in Ubuntu and the is no major bugs in Debian.
  No unit tests in the package AFAICT - html + javascript gluecode.

  Standards Compliance: FHS and Debian Policy compliant.

  Maintenance: Simple python package that the Ubuntu OpenStack Team will
  take care of.

  Dependencies: All are in main apart from websockify.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1108935/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list