[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Alex Murray
alex.murray at canonical.com
Fri Feb 21 06:52:34 UTC 2020
- Previous message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Next message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
I reviewed python-configshell-fb 1.1.fb25-1.1 as checked into focal. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
python-configshell-fb provides a python library which is used for building
CLI based user-interfaces. Upstream appears healthy and responsive.
- CVE History:
- None
- No security relevant Build-Depends
- debhelper, dh-python, python3-all, python3-pyparsing, python3-setuptools, python3-six
- pre/post inst/rm scripts
- These are fine - just the auto-generated ones by dh_python3 to
py3compile on postinst and py3clean on prerm
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- No unit tests / autopkgtests
- This will make doing any security updates hard to test...
- No cron jobs
- Clean build log
- No processes spawned
- File IO
- Uses files for preferences and logging but these are all parameters to
the library and not hard-coded
- Preferences are saved and restored using pickle which could present a
security issue since this does little sanity checking on formats etc -
however this is done using a file-name provided by the user of the
library and relative to the user's home directory so this is likely
safe - although there is no use of umask() to ensure this file is not
accessible by others so perhaps that at least should be employed
- Logging
- Uses general python format strings etc - this is safe
- No environment variable usage
- No Use of privileged functions
- No Use of cryptography / random number sources etc
- No Use of temp files
- No Use of networking
- No Use of WebKit
- No Use of PolicyKit
Static analysis via bandit and Coverity does not show anything
significant
Security team ACK for promoting python-configshell-fb to main however I
would be happier if some unit tests were added so that some testing can be
done for any future updates to ensure regressions are not introduced.
** Changed in: python-configshell-fb (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-rtslib-fb in Ubuntu.
https://bugs.launchpad.net/bugs/1854362
Title:
[MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
urwid, targetcli-fb
Status in ceph-iscsi package in Ubuntu:
Confirmed
Status in python-configshell-fb package in Ubuntu:
Confirmed
Status in python-rtslib-fb package in Ubuntu:
Confirmed
Status in targetcli-fb package in Ubuntu:
Confirmed
Status in tcmu package in Ubuntu:
Confirmed
Status in urwid package in Ubuntu:
Confirmed
Bug description:
== ceph-iscsi ==
[Availability]
In universe
[Rationale]
Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage.
[Security]
No security history found.
[Quality assurance]
Package runs tests during package build (submitted back to Debian).
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== tcmu ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
Handles the userspace side of the LIO TCM-User backstore allowing LIO
to use librbd for Ceph backed block devices.
[Security]
Some security history:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu
All in older versions.
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-configshell-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-rtslib-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== urwid ==
[Availability]
In universe
[Rationale]
Dependency for python-configshell-fb
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== targetcli-fb ==
[Availability]
In universe
[Rationale]
- Only CLI for iSCSI target feature in Linux Kernel
- Replaces with much better performance tgt iSCSI target
- tgt is being deprecated slowly and poorly updated
- LIO fully supports SCSI 3 reservations (for clustering)
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
- python3-configshell-fb (this MIR)
- python3-gi (main)
- python3-rtslib-fb (this MIR)
- python3-six (main)
[Standards compliance]
OK
[Maintenance]
ubuntu-server
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions
- Previous message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Next message (by thread): [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Ubuntu-openstack-bugs
mailing list