[Bug 1590425] Re: [MIR] python-ws4py

Seth Arnold 1590425 at bugs.launchpad.net
Sat Aug 13 00:37:22 UTC 2016 

Hello; I reviewed python-ws4py version 0.3.4-3 as checked into Ubuntu
yakkety. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.

- No CVEs in our UCT database
- python-ws4py provides a python interface to websockets, both client and
  server implementations, for pure-python stdlib, tornado, gevent, (the
  client) and cherrypy, gevent, wsgiref, and asyncio (the server).
- Build-deps: debhelper, dh-python, python-all, python-cherrypy3,
  python-gevent, python-mock, python-nose, python-setuptools, python-sphinx,
  python-sphinxcontrib.seqdiag, python-tornado, python3-all, python3-cherrypy3,
  python3-mock, python3-nose, python3-setuptools, python3-sphinx,
  python3-sphinxcontrib.seqdiag, python3-tornado
- Extensive networking
- No cryptography
- Does not itself daemonize
- Can listen on network sockets
- Does not itself pick userid
- pre/post inst/rm are automatically generated
- No init scripts
- No dbus services
- Not setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- Smallish testsuite run during build; upstream uses a functional test
  framework for their releases
- No cron jobs
- Mostly clean build logs with a surprising entry:
Warning: apt-key output should not be parsed (stdout is not a terminal)
- No subprocesses spawned
- Doesn't itself open files
- Light logging
- Does not itself use environment variables
- Does not itself use privileged functions
- No cryptography
- A lot of simple networking; complicated framing mechanism
- WSGI / gevent / asyncio / tornado / cherrypy
- No privileged portions of code
- No temporary files
- No WebKit
- No PolicyKit
- No JavaScript

This looked to be professionally programmed and while it touches on
complicated areas of networking protocols and browsers, itself looks clean
and straightforward. There are notes in the documentation that the wsgi
and asyncio server implementations look immature or unsuitable by design
for production use, so clients may need to be careful about which
functionality is used. Presumably clients can be smart about this.

Security team ACK for promoting python-ws4py to main.

Thanks


** Changed in: python-ws4py (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-ws4py in Ubuntu.
https://bugs.launchpad.net/bugs/1590425

Title:
  [MIR] python-ws4py

Status in python-ws4py package in Ubuntu:
  Incomplete

Bug description:
    [Availability]
    Currently in universe.

    [Rationale]
    Dependency for python-pylxd

    [Security]
    No security history

    [Quality Assurance]
    Package works out of the box with no prompting.

    [Dependencies]
    All are in main except for python-keystoneauth1

    [Standards Compliance]
    FHS and Debian Policy compliant.

    [Maintenance]
    Simple python package that the Ubuntu Server Team will take care of.

  == python-cherrypy ==

    [Availability]
    Currently in universe.

    [Rationale]
    Dependency for python-wsp4y

    [Security]
    No security history

    [Quality Assurance]
    Package works out of the box with no prompting.

    [Dependencies]
    All are in main except for python-keystoneauth1

    [Standards Compliance]
    FHS and Debian Policy compliant.

    [Maintenance]
    Simple python package that the Ubuntu Server Team will take care of.

  == python-gevent ==

    [Availability]
    Currently in universe.

    [Rationale]
    Dependency for python-ws4py

    [Security]
    No security history

    [Quality Assurance]
    Package works out of the box with no prompting.

    [Dependencies]
    All are in main except for python-keystoneauth1

    [Standards Compliance]
    FHS and Debian Policy compliant.

    [Maintenance]
    Simple python package that the Ubuntu Server Team will take care of.

  == python-tornado ==

    [Availability]
    Currently in universe.

    [Rationale]
    Dependency for python-ws4py

    [Security]
    No security history

    [Quality Assurance]
    Package works out of the box with no prompting.

    [Dependencies]
    All are in main except for python-keystoneauth1

    [Standards Compliance]
    FHS and Debian Policy compliant.

    [Maintenance]
    Simple python package that the Ubuntu Server Team will take care of.

  == python-sphinxcontrib.seqdiag ==

    [Availability]
    Currently in universe.

    [Rationale]
    Dependency for python-ws4py

    [Security]
    No security history

    [Quality Assurance]
    Package works out of the box with no prompting.

    [Dependencies]
    All are in main except for python-keystoneauth1

    [Standards Compliance]
    FHS and Debian Policy compliant.

    [Maintenance]
    Simple python package that the Ubuntu Server Team will take care of.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-ws4py/+bug/1590425/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list