Hi, the in depth review turned up no huge surprises on top of the discussion that already happened. One non blocking fix I submitted already.
Review for Source Package: python-legacy-cgi [Summary] MIR team ACK This does not need a security review (as it is equal to what we had pre python 3.13. List of specific binary packages to be promoted to main: python3-legacy-cgi Specific binary packages built, but NOT to be promoted to main: -none- Notes: While the legacy in its name and purpose are disencouraging to add it to main there is a track to let it go over time. As outlined (thanks James) this is the py 3.13 support for now [1] but only a stop gap and meant to go away once upstream worked that out (still finding incompatibilities) [2]. [1]: https://github.com/Pylons/webob/commit/0ab3c38e62b9371ee3524711ba2f4cff82280604 [2]: https://github.com/Pylons/webob/pull/466 Required TODOs: - none Recommended TODOs: - none [Rationale, Duplication and Ownership] There is no other package in main providing the same functionality Used to be in stdlib but no more, retained here until all dependencies can let go. A team is committed to own long term maintenance of this package. => ubuntu-openstack is already subscribed The rationale given in the report seems valid and useful for Ubuntu (but only for a while, we all expect this to be let go at some point) [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion - No dependencies in main that are only superficially tested requiring more tests now. Problems: None [Embedded sources and static linking] OK: - no embedded source present - no static linking - does not have unexpected Built-Using entries - not a go package, no extra constraints to consider in that regard - not a rust package, no extra constraints to consider in that regard Problems: None [Security] OK: - history of CVEs does not look concerning (for something handling requests it was quite low, and now it changed to its legacy form being only fixes but no features which should make the future have a diminishing number) - does not run a daemon as root (runs as whatever it is used in, but itself does not define either) - does not use webkit1,2 - does not use lib*v8 directly - does not expose any external endpoint (port/socket/... or similar) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) - does not deal with security attestation (secure boot, tpm, signatures) - does not deal with cryptography (en-/decryption, certificates, signing, ...) - this makes appropriate (for its exposure) use of established risk mitigation features (AFAICS Only the programs using it could know and do so) Problems: - does parse data formats, but as mentioned did so for years as part of the python stdlib and is thereby rather well analyzed already. No new scan of the same needed IMHO. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a non-trivial test suite that runs as autopkgtest via pybuild-autopkgtest - This does not need special HW for build or test - no new python2 dependency - Python package, but using dh_python Problems: None [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - Upstream update history is too new to judge based on that - Debian/Ubuntu update history is too new to judge based on that - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - debian/rules is rather clean - It is not on the lto-disabled list Problems: None - debian/watch is present, but it fails to deliver anything useful explaining what I want would take about as long as doing it and this isn't a critical blocker. So I submitted [3] and consider this imperfect but ok to go on. [3]: https://salsa.debian.org/python-team/packages/python-legacy- cgi/-/merge_requests/1 [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (the language has no direct MM) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside tests) - no use of user nobody - no use of setuid / setgid - no important open bugs (crashers, etc) in Debian or Ubuntu (but almost too new to use that as indication) - no dependency on webkit, qtwebkit or libseed - not part of the UI for extra checks - no translation present, but none needed for this case (dev lib only) Problems: None -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2089244 Title: [MIR] python-legacy-cgi To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-legacy-cgi/+bug/2089244/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
