[Summary] Alternative D-Bus implementation for Python applications. MIR team -1 due to duplication of function; if we could switch over all reverse-depends in main this switch would be re-considered.
I've asked the Ubuntu OpenStack team to review use of python3-keyring to see if we can remove 3/4 of the reverse-depends that hold keyring in main - launchpadlib seems to be a potential blocker. Would require security team review due to integration with D-Bus. [Duplication] Pure Python DBus implementation, fulfilling the same function as dbus-python. python-secretstorage has migrated to jeepney, however there are a large number of other packages that still depend on python3-dbus: $ reverse-depends -c main python3-dbus Reverse-Depends * hplip [amd64 arm64 armhf ppc64el s390x] * language-selector-common * networkd-dispatcher * python3-aptdaemon * python3-cupshelpers * python3-dbus-dbg * python3-secretstorage * software-properties-common * system-config-printer * system-config-printer-common * system-config-printer-udev [amd64 arm64 armhf ppc64el s390x] * ubiquity-frontend-gtk [amd64 arm64 armhf ppc64el] * ubuntu-release-upgrader-gtk * ubuntu-system-service * unattended-upgrades * update-manager * update-notifier [amd64 arm64 armhf ppc64el s390x] * update-notifier-common * usb-creator-common [amd64] * usb-creator-gtk [amd64] I suspect its unlikely that these will all migrate during the Focal timeframe so including this package into main would duplicate functionality. [Embedded sources and static linking] - no embedded source present - no static linking [Security] - no history of CVEs - does not use webkit1,2 - does not use lib*v8 directly - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not run a daemon as root - does not open a port But it has quite some security sensitive elements: - does not parse data formats - integrates with D-Bus - access to all data passed in between Will require security team review. [Common blockers] - does not currently FTBFS - no translation present, but none needed - no python2 - has autopkgtests - lacks a team bug subscriber [Packaging red flags] - In sync with debian - symbols tracking not applicable for this code. - d/watch is present and works - Upstream update history is good - Limited Debian/Ubuntu history (new for focal) - the current release is packaged - no MOTU problem - no Lintian warnings - d/rules nice and clean - not using Built-Using - no golang package for extra considerations about that [Upstream red flags] - no errors during the build - no incautious use of malloc/sprintf (N/A) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no significant open bug reports upstream - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861268 Title: [MIR] jeepney To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jeepney/+bug/1861268/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
