[Bug 2072619] Re: [MIR] python-jsonschema-specifications

James Page 2072619 at bugs.launchpad.net
Tue Aug 6 09:22:46 UTC 2024 

Review for Source Package: python-jsonschema-specifications

[Summary]
MIR team ACK
This does not need a security review

Notes:
TODO(non-blocking): Add autopkgtest to package to run in-tree tests.

[Rationale, Duplication and Ownership]
- There is no other package in main providing the same functionality.
- A team is committed to own long term maintenance of this package (ubuntu-openstack).
- The rationale given in the report seems valid and useful for Ubuntu

[Dependencies]
Other MIR's required for this package are detailed in the original submission
so no further action is required directly from this MIR.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
  signing, ...)
- this makes appropriate (for its exposure) use of established risk
  mitigation features (dropping permissions, using temporary environments,
  restricted users/groups, seccomp, systemd isolation features,
  apparmor, ...)

Problems: None

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- no new python2 dependency
- Python package, but using dh_python

Problems:
- does not have a non-trivial test suite that runs as autopkgtest
  however as this package only contains reference data for JSON schemas
  I don't consider this a blocking issue.

[Packaging red flags]
OK:
- Ubuntu does carry a delta, but it is reasonable and maintenance under
  control
- symbols tracking not applicable for this kind of code.
- debian/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is (good/slow/sporadic)
- Debian/Ubuntu update history is (good/slow/sporadic)
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list

Problems: None

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid / setgid
- use of setuid, but ok because TBD (prefer systemd to set those
  for services)
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (user visible)?

Problems: None

** Changed in: python-jsonschema-specifications (Ubuntu)
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-jsonschema-specifications in
Ubuntu.
https://bugs.launchpad.net/bugs/2072619

Title:
  [MIR] python-jsonschema-specifications

Status in python-jsonschema-specifications package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  The package python-jsonschema-specifications is already in Ubuntu universe. Link to package: https://launchpad.net/ubuntu/+source/python-jsonschema-specifications.

  [Rationale]
  This package is required in ubuntu/main as it is a dependency for python-jsonschema, which is already in main (https://launchpad.net/ubuntu/+source/python-jsonschema).

  [Security]
  No CVEs/security issues in this software in the past.
  No executables in /sbin and usr/bin.
  Package does not install services, timers, or recurring jobs.
  Package does not open privileged ports or expose any external endpoints.
  Package does not contain extensions to security-sensitive software.
  Package does not contain any cryptography functionality.

  [QA – function/usage]
  The package works well right after install.

  [QA – maintenance]
  The package is maintained will in Debian/Ubuntu/Upstream and does not have too many long-term and critical, open bugs.
  The package does not deal with exotic hardware that we cannot support.

  [QA – testing]
  The package contains unit tests and autokpg tests defined in debian/rules. It it confirmed to have run and pass the build tests and built successfully on amd64: https://launchpadlibrarian.net/738777197/buildlog_ubuntu-oracular-amd64.python-jsonschema-specifications_2023.12.1-1ubuntu1_BUILDING.txt.gz.
  The debian/control file specifies the package can build for all architectures.

  [QA – packaging]
  A debian/watch file is present and it works.
  A debian/control file defines a correct maintainer field (Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>).
  This package does not yield massive Lintian warnings or errors.
  Recent build log is linked above.
  This package does not rely on obsolete or about to be demoted packages.
  The package does not prompt the user during installation.
  Packaging and build is easy. Link to debian/rules: https://git.launchpad.net/ubuntu/+source/python-jsonschema-specifications/tree/debian/rules?h=applied/ubuntu/oracular-proposed

  [UI standards]
  Application is not end-user facing.

  [Dependencies]
  This package depends on python3-rpds-py which is not in main. See MIR report here: https://bugs.launchpad.net/ubuntu/+source/rpds-py/+bug/2072621
  This package depends on python3-referencing which is not in main. See MIR report here: https://bugs.launchpad.net/ubuntu/+source/referencing/+bug/2072620

  [Standards compliance]
  This package correctly follows FHS and Debian Policy.

  [Maintenance/Owner]
  The owning team will be Ubuntu OpenStack and I have their acknowledgment for that commitment. This team will be subscribed to package bugs before promotion.
  This does not use static builds. 
  This does not use vendored code.
  This package is not rust based.
  This package has been built in the last 3 months in the archive. Link: https://launchpad.net/ubuntu/+source/python-jsonschema-specifications/2023.12.1-1ubuntu1/+build/28642329

  [Background information]
  This package provides a Python implementation of JSON schema specifications.
  The package description explains the package well.
  Upstream name is: jsonschema-specifications
  Upstream link: https://github.com/python-jsonschema/jsonschema-specifications

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-jsonschema-specifications/+bug/2072619/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list