[Bug 1930111] Re: [MIR] new dependencies of cherrypy3: jaraco.collections, jaraco.classes, jaraco.text, python-cheroot, python-jaraco.functools, python-tempora, python-portend, zc.lockfile

Camila Camargo de Matos 1930111 at bugs.launchpad.net
Wed Feb 16 17:27:04 UTC 2022 

Hello,

I have been doing the security review for this package and before I can
finalize it, I would like to address some possible issues and try to
understand what might be their consequences:

(1) When building the package for analysis, I was unable to do so with testing activated. The tests hang at 19% and the build simply does not continue when it reaches this point. Of course, it could be that the test takes an extremely long time (I did not wait more than 2hrs before deciding to cancel the build and restart with tests deactivated), but either way, we need builds to finish
in order to support the package, and it would be ideal to include tests to make sure
that our updates are good ones. Is this a known issue? Is it possible I did something wrong when building? If it is indeed an issue, how could we solve it?

(2) While analyzing the code, I came across a function that creates Unix
sockets with the 0777 permission set. This could be an issue, so I would
like to know more about the uses that will be utilizing the Unix sockets
functionality, as well as if they should be considering permissions
other than 0777.

Thanks!
Regards,
Camila Camargo de Matos.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to jaraco.classes in Ubuntu.
https://bugs.launchpad.net/bugs/1930111

Title:
  [MIR] new dependencies of cherrypy3: jaraco.collections,
  jaraco.classes, jaraco.text, python-cheroot, python-jaraco.functools,
  python-tempora, python-portend, zc.lockfile

Status in cherrypy3 package in Ubuntu:
  In Progress
Status in jaraco.classes package in Ubuntu:
  Fix Released
Status in jaraco.collections package in Ubuntu:
  Fix Released
Status in jaraco.text package in Ubuntu:
  Fix Released
Status in python-cheroot package in Ubuntu:
  In Progress
Status in python-jaraco.functools package in Ubuntu:
  Fix Released
Status in python-portend package in Ubuntu:
  Fix Released
Status in python-tempora package in Ubuntu:
  Fix Released
Status in zc.lockfile package in Ubuntu:
  Fix Released

Bug description:
  [Availability]
  All packages are already in universe, and in sync with Debian.
  They are all architecture independent.
  jaraco.classes, jaraco.collections is new to Debian & Ubuntu (currently only in experimental), and portend and jaraco.functools are relatively new, since 2019
  cheroot and zc.lockfile have been in Debian & Ubuntu for many years.

  [Rationale]
  Dependencies of the new cherrypy3 18.6.0-1 release.

  [Security]
  No security issues ever reported for any of these libraries.

  [Quality assurance]
  All the packages are simple Python libraries, no configuration or debconf questions.
  No open bugs in Debian or Ubuntu.
  jaraco.classes, jaraco.collections, jaraco.functools, jaraco.text, portend, tempora, and zc.lockfiles's test suites are run at build time.
  cheroot's test suite is not run at build time, due to missing dependencies in the archive (jaraco.context).
  No significant lintian issues, although jaraco.functools, portend, tempora and zc.lockfile could fix some obvious trivial issues.

  [Dependencies]
  This issue is for a set of dependencies for cherrypy3

  [Standards compliance]
  Packages are simple python libraries, installed to the correct locations, and lintian clean (except old standards versions, compats, etc.)

  [Maintenance]
  All packages seem relatively well maintained upstream, and are a few years old at this point.
  jaraco.classes, jaraco.collections, jaraco.functools, ported, and tempora have 0 open issues and pull requests, upstream.
  chreroot has tens of open issues and pull requests, but the project hasn't stagnated, it just seems to be being actively developed.
  zc.lockfile has seen no commits since 2019, but doesn't have issues and PRs piling up.

  [Background information]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cherrypy3/+bug/1930111/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list