I have serious reservations about this package. The build logs are very messy and report a LOT of problems. How does one tell "these problems are completely normal" from "these problems indicate a regression in the package"?
There's many cases of building strings to execute, either via simple one-liner scripts, or via subprocess execution; it feels very strange to see a tool programmed in a high-level scripting language build up bash scripts through string operations and store them to disk, particularly into /sbin/. I have reported two issues to the Openstack bug tracker for things that I believe may be security problems. It looks like Octavia may be written assuming malicious network inputs are impossible. https://storyboard.openstack.org/#!/story/2008697 https://storyboard.openstack.org/#!/story/2008715 The MIR review included a comment that there's no root daemon in this package, but many of the operations it appears to perform require root- equivalent privileges. So I started looking for how the services in this package are started and had a great deal of difficulty figuring out how the debian/*.init.in files are turned into anything useful. (Hint for the future universe/o/openstack-pkg-tools/openstack-pkg- tools_113ubuntu1/pkgos.make ). I'm still not sure what user accounts are used when starting the services in this package -- or, by source inspection alone, how the services are started at all. I don't think this package is ready for security support by the Ubuntu security team at this time. There's too many open questions about how this package functions and how quality assurance is maintained. I'm sorry I don't have concrete asks for this package, but consider: - a debian/README.source file that describes how to work with this package - an error-free build log, or at least notes emitted in the log at every expected error about what the expected error is, and why - a clear statement that the HTTP endpoint is root-equivalent or changes to the HTTP server that would enforce stronger separation between API consumer and root. Security team NAK for promoting octavia to main at this time. Thanks ** Changed in: octavia (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1888309 Title: [MIR] octavia To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/octavia/+bug/1888309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
