I reviewed python-oslo.metrics 0.3.0-0ubuntu1 as checked into impish. This shouldn't be considered a full audit but rather a quick gauge of maintainability. ANY OTHER NOTES REGARDING THE NATURE OF THE REVIEW ITSELF.
python-oslo.metrics is a middleware between statistics publishers and statistics collectors. - CVE History: - none - Build-Depends? debhelper-compat (= 12), dh-python, openstack-pkg-tools, python3-all, python3-pbr (>= 3.1.1), python3-setuptools, Build-Depends-Indep: python3-oslo.config (>= 1:6.9.0), python3-oslo.log (>= 3.44.0), python3-oslo.utils (>= 3.41.0), python3-prometheus-client (>= 0.6.0), python3-oslotest (>= 1:3.2.0), python3-stestr (>= 2.0.0), - pre/post inst/rm scripts? dh_python3 blocks - init scripts? none - systemd units? none - dbus services? none - setuid binaries? none - binaries in PATH? oslo-metrics - sudo fragments? none - polkit files? none - udev rules? none - unit tests / autopkgtests? Very short, run during build The autopkgtests have a warning: UserWarning: Deprecate: ostestr command is deprecated now. Use stestr command instead. - cron jobs? none - Build logs: Clean - Processes spawned? None - Memory management? None - File IO? None - Logging? Looks fine - Environment variable usage? None - Use of privileged functions? None - Use of cryptography / random number sources etc? None - Use of temp files? The socket is stored in /var/tmp/metrics_collector.sock -- permissions look wrong. - Use of networking? Unix domain socket, permissions look wrong. - Use of WebKit? None - Use of PolicyKit? None - Any significant cppcheck results? None - Any significant Coverity results? None (probably broken) - Any significant shellcheck results? None - Any significant bandit results? Unix domain socket in /var/tmp python-oslo.metrics is pretty short and doesn't seem all that complicated. I'm starting to wonder if there's just plain too many OpenStack packages these days; when I started this package, there wasn't a way to report bugs in it, and my attempts to get help on irc lead nowhere. Once it was possible to file bugs, my bug report didn't get much traction. (Almost understandable, it's not hugely important.) But it does give me the impression that the openstack security team may be spread too thin. Security team ACK for promoting python-oslo.metrics to main. Ideally, Corey's fix for the permissions would land in the archive before we ship it. __main__.py main(): os.chmod(socket_path, stat.S_IRWXU | stat.S_IRWXO) -- https://bugs.launchpad.net/ubuntu/+source/python-oslo.metrics/+bug/1945533 ** Changed in: python-oslo.metrics (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: python-oslo.metrics (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943143 Title: [MIR] python-oslo.metrics, python-prometheus-client To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-oslo.metrics/+bug/1943143/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
