[Bug 2048760] Re: [MIR] python-cssselect

Fri Feb 9 03:58:21 UTC 2024

I reviewed python-cssselect 1.2.0-2 as checked into noble.  This shouldn't
be considered a full audit but rather a quick gauge of maintainability.

python-cssselect is a python library to parse CSS3 selectors and translate
them to XPath 1.0 expressions. XPath 1.0 expressions can be used in lxml or
another XPath engine to find the matching elements in an XML or HTML
document.

- CVE History
  - No history and no current CVE to this package
- Build-Depends
  - python3-all, python3-lxml, python3-pytest, python3-setuptools
- pre/post inst/rm scripts
  - post-inst: byte compile python3-cssselect
  - pre-rm: removes .pyc and .pyo files for python3-cssselect
- init scripts
  - Not-available
- systemd units
  - Not-available
- dbus services
  - Not-available
- setuid binaries
  - Not-available
- binaries in PATH
  - Not-available
- sudo fragments
  - Not-available
- polkit files
  - Not-available
- udev rules
  - Not-available
- unit tests / autopkgtests
  - autopkgtests contains unit tests and it is running fine
- cron jobs
  - Not-available
- Build logs
  - These warnings are generated:
```
dpkg-source: warning: extracting unsigned source package (python-cssselect_1.2.0-2.dsc)
warning: no files found matching 'py.typed'
/usr/lib/python3/dist-packages/setuptools/_distutils/cmd.py:66: SetuptoolsDeprecationWarning: setup.py install is deprecated.
dpkg-gencontrol: warning: package python3-cssselect: substitution variable ${python3:Depends} unused, but is defined
```

- Processes spawned
  - None
- Memory management
  - None
- File IO
  - Looks good
- Logging
  - Not much of a logging in the code except in xpath.py where
    `warnings.warn()` is being used for logging
- Environment variable usage
  - None
- Use of privileged functions
  - None
- Use of cryptography / random number sources etc
  - None
- Use of temp files
  - None
- Use of networking
  - None
- Use of WebKit
  - None
- Use of PolicyKit
  - None

- Any significant cppcheck results
  - No result
- Any significant Coverity results
  - No result
- Any significant shellcheck results
  - No result
- Any significant bandit results
  - None, looks fine
- Any significant govulncheck results
  - No result
- Any significant Semgrep results
  - No result

There are no open security issues upstream. The maintainers are not very
active in fixing opened issues/enhancement PRs. Their last few commits on
the package were to add support for new Python versions. The last version
published for this package was in Oct'22. The noble release uses the latest
available version upstream.

One recommendation for the owning team is to review and fix the build
warnings. Security team ACK for promoting python-cssselect to main.

** Changed in: python-cssselect (Ubuntu)
       Status: Confirmed => In Progress

** Changed in: python-cssselect (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/2048760

Title:
  [MIR] python-cssselect

Status in lxml package in Ubuntu:
  New
Status in python-cssselect package in Ubuntu:
  In Progress
Status in lxml package in Debian:
  Fix Released

Bug description:
  [Availability]
  - The package python-cssselect is already in Ubuntu universe.
  - The package python-cssselect build for the architectures it is designed to work on.
  - It currently builds and works for architectures: all
  - Link to package https://launchpad.net/ubuntu/+source/python-cssselect

  [Rationale]
  - The package python-csselect is currently a build dependency of lxml in Ubuntu
    main. However python-lxml doesn't work without it (#1017067) and it should be
    promoted to runtime dependency.
  - Demoting python-lxml, or modifying it to not require this package seems to
    be more work than maintaining an extra small package in sync with Debian.
  - It would be great and useful to community/processes to have the
    package python-cssselect in Ubuntu main, but there is no definitive deadline.

  [Security]
  - No CVEs/security issues in this software in the past
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package does not install services, timers or recurring jobs
  - Security has been kept in mind and common isolation/risk-mitigation
    patterns are in place utilizing the following features:
    The package is a Python library and doesn't perform any risky actions by
    itself.
  - Packages does not open privileged ports (ports < 1024).
  - Packages does not contain extensions to security-sensitive software
    (filters, scanners, plugins, UI skins, ...)

  [Quality assurance - function/usage]
  - The package works well right after install

  [Quality assurance - maintenance]
  - The package is maintained well in Debian/Ubuntu/Upstream and does
    not have too many, long-term & critical, open bugs
    - Ubuntu https://bugs.launchpad.net/ubuntu/+source/python-cssselect/+bug
    - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=python-cssselect
    - https://github.com/scrapy/cssselect/issues
  - The package does not deal with exotic hardware we cannot support

  [Quality assurance - testing]
  - The package does not run a test at build time because it runs its test
    suite as autopkgtest.
    This is fine, because build is architecture independent and only done once,
    versus autopkgtest is run on all architectures.
  - The package runs an autopkgtest, and is currently passing on
    all architectures except i386: https://autopkgtest.ubuntu.com/packages/python-cssselect
  - The package does have failing autopkgtests tests right now, but since
    they always failed they are handled as "ignored failure".
    This is ok because this is only on i386, and not all its dependencies are
    available for i386

  [Quality assurance - packaging]
  - debian/watch is present and works
  - debian/control defines a correct Maintainer field
  - This package does not yield massive lintian Warnings, Errors
  - Please link to a recent build log of the package
    https://launchpadlibrarian.net/645210260/buildlog_ubuntu-lunar-amd64.python-cssselect_1.2.0-2_BUILDING.txt.gz
  - The output from `lintian --pedantic` is empty
  - Lintian overrides are not present
  - This package does not rely on obsolete or about to be demoted packages.
  - This package has no python2 or GTK2 dependencies
  - The package will not be installed by default
  - Packaging and build is easy, debian/rules is trivial
    https://git.launchpad.net/ubuntu/+source/python-cssselect/tree/debian/rules?h=debian/sid

  [UI standards]
  - Application is not end-user facing (does not need translation)
    (Not even an application, the package is a Python library)

  [Dependencies]
  - No further depends or recommends dependencies that are not yet in main

  [Standards compliance]
  - This package correctly follows FHS and Debian Policy

  [Maintenance/Owner]
  - I Suggest the owning team to be Foundations
  - The future owning team is not yet subscribed, but will subscribe to
    the package before promotion
  - This does not use static builds
  - This does not use vendored code
  - This package is not rust based
  - The package was test rebuilt in PPA or sbuild recently (provide link/logs)
    https://launchpadlibrarian.net/710552022/buildlog_ubuntu-noble-amd64.python-cssselect_1.2.0-2~ppa1_BUILDING.txt.gz

  [Background information]
  - The Package description explains the package well
  - Upstream Name is cssselect
  - Link to upstream project https://github.com/scrapy/cssselect
  - Maintainers are the same as lxml, package was split from lxml in 2012:
    https://lxml.de/3.0/changes-3.0alpha1.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxml/+bug/2048760/+subscriptions