[Bug 2072621] Re: [MIR] rpds-py

Mark Esler 2072621 at bugs.launchpad.net
Tue Oct 1 00:28:26 UTC 2024 

I reviewed rpds-py 0.20.0-0ubuntu3 as checked into oracular. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

> rpds.py: Python bindings to the Rust rpds crate for persistent data
> structures

- CVE History
  - None
  - overflow reported (issue #86 PR #87)
    - see below
  - Project has a SECURITY.md \o/
  - Project uses GitHub's Private Security Reporting Feature \o/
  - Bitdefender (Windows) incorrectly quarnatines rpds.py
- Build-Depends
  - vendored dependencies
- pre/post inst/rm scripts
  - yes, typical dh_python3 helper
- init scripts
  - none
- systemd units
  - none
- dbus services
  - none
- setuid binaries
  - none
- binaries in PATH
  - none
- sudo fragments
  - none
- polkit files
  - none
- udev rules
  - none
- unit tests / autopkgtests
  - includes build tests and autopkgtests
- cron jobs
  - none
- Build logs
  - fine

- Processes spawned
  - none
- Memory management
  - single "unsafe" use of as_ptr in AsPyPointer()
    - see comments at end
- File IO
  - in Python, only in tests
- Logging
  - none
- Environment variable usage
  - none
- Use of privileged functions
  - none
- Use of cryptography / random number sources etc
  - none
- Use of temp files
  - none
- Use of networking
  - none
- Use of WebKit
  - none
- Use of PolicyKit
  - none

- Any significant cppcheck results
  - none
- Any significant Coverity results
  - none
- Any significant shellcheck results
  - none
- Any significant bandit results
  - none
  - only in tests.
- Any significant govulncheck results
  - none
- Any significant Semgrep results
  - none

The overflows in https://github.com/crate-py/rpds/issues/86 should be
addressed. The proposed fix looks proper.

Magic numbers comes from Python's hashing algorithm implementation.

Note that this package vendors Rust packages. Vendored Rust packages are
(currently) not reviewed by Security MIRs. Auditing these vendored packages was
an explicit request from the MIR Team for this package. This is a broader
discussion that needs priority. In the `rustc` package, Security Engineer
cannot review all +600 vendored packages.

To Slyon's concern about parsing untrusted (user) source code, library footguns
in themselves are okay. How/if footguns are used in python-jsonschema is what
we would want to check. This feels okay on the surface.

Also note that per the MIR rules, Security Engineering is responsible for
tracking vulnerabilities in vendored code AND the owning team is responsible
for remediating vendored vulnerabilities reported by Security Engineering.
Currently, this process is not in effect. See SEC-4286 and
https://github.com/canonical/ubuntu-mir

Possibly `cargo audit` could be run as a build test.

Glad to see a MIR member who is not the owner review this.

Nice work adapting this from Debian to Ubuntu James 😎

Security team ACK for promoting rpds-py to main on the condition that owning
team applies PR #87 when it lands.

** Bug watch added: github.com/crate-py/rpds/issues #86
   https://github.com/crate-py/rpds/issues/86

** Changed in: rpds-py (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

** Changed in: rpds-py (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rpds-py in Ubuntu.
https://bugs.launchpad.net/bugs/2072621

Title:
  [MIR] rpds-py

Status in rpds-py package in Ubuntu:
  In Progress

Bug description:
  [Availability]
  The package rpds-py is already in Ubuntu universe.
  Link to package https://launchpad.net/ubuntu/+source/rpds-py

  [Rationale]
   This is a new dependency used by python-jsonschema, and python-jsonschema is already part of main ( https://launchpad.net/ubuntu/+source/python-jsonschema )

  [Security]
  - No CVEs/security issues in this software in the past.
    + https://ubuntu.com/security/cves?package=rpds-py
    + https://security-tracker.debian.org/tracker/source-package/rpds-py
  - No executables in /sbin and usr/bin.
  - Package does not install services, timers, or recurring jobs.
  - Package does not open privileged ports or expose any external endpoints.
  - Package does not contain extensions to security-sensitive software.
  - Package does not contain any cryptography functionality.

  [Quality assurance - function/usage]
  The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/rpds-py/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=rpds-py
    - https://github.com/crate-py/rpds/issues

  [Quality assurance - testing]
  - The package contains unit tests. It it confirmed to have run and pass the build tests and built successfully on amd64: https://launchpadlibrarian.net/738777197/buildlog_ubuntu-oracular-amd64.python-jsonschema-specifications_2023.12.1-1ubuntu1_BUILDING.txt.gz
  - The debian/control file specifies the package can build for all architectures.
  - The autopkgtest is disabled, because it doesn't define any - https://git.launchpad.net/ubuntu/+source/rpds-py/tree/debian/control?h=ubuntu/oracular-devel#n21

  [Quality assurance - packaging]
  - A debian/watch is not present.
  - debian/control defines a correct Maintainer field. The maintainer is set to "Debian Python Modules Team <python-modules-team at alioth-lists.debian.net>", because there is no Ubuntu delta applied.
  - This package does not yield massive lintian Warnings, Errors
  - Recent build log: https://launchpadlibrarian.net/738777197/buildlog_ubuntu-oracular-amd64.python-jsonschema-specifications_2023.12.1-1ubuntu1_BUILDING.txt.gz
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  -  The package does not prompt the user during installation.
  - Packaging and build is easy, link to debian/rules: https://git.launchpad.net/ubuntu/+source/rpds-py/tree/debian/rules?h=ubuntu/oracular

  [UI standards]
  - Application is not end-user facing (does not need translation)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - The owning team will be Ubuntu OpenStack and I have their acknowledgement for that commitment
  - The future owning team is not yet subscribed, but will subscribe to the package before promotion
  - The team Ubuntu OpenStack is aware of the implications by a static build and commits to test no-change-rebuilds and to fix any issues found for the lifetime of the release (including ESM)
  - This package does not use vendored code
  - The package has been built within the last 3 months in PPA - https://launchpad.net/~freyes/+archive/ubuntu/lp2072621
  - Build link on launchpad: https://launchpad.net/ubuntu/+source/rpds-py/0.12.0-3build1

  [Background information]
  - rpds-py is a Python bindings to the Rust rpds crate for persistent data structures. This library is a new dependency of python-jsonschema.
  - Upstream Name is rdps-py
  - Link to upstream project https://github.com/crate-py/rpds

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rpds-py/+bug/2072621/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list