[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid

Christian Ehrhardt  1854362 at bugs.launchpad.net
Thu Dec 5 09:28:29 UTC 2019 

For python-configshell-fb

[Summary]
- Overall looks ok, MIR Team ack
- @Openstack team: it would be great if you'd would fix https://bugs.launchpad.net/ubuntu/+source/python-configshell-fb/+bug/1776761
  If you happen to UCA port this to 18.04 that might help anyway (unless you plan to add that package to UCA itself)
- While attack surface seems minimal the value of getting in seems high in this case, so security should have a look (assigning them)

[Duplication]
There is duplication around this project but not in Main.
https://pypi.org/project/configshell-fb/ belongs to https://github.com/open-iscsi/configshell-fb
Those are all forks and a project has to live in either "all -fb or none" world to work.
But Debian/Ubuntu run the -fb path of this everywhere, so that is good.

[Embedded sources and static linking]
- no embedded sources
- no static linking (python)
- no golang package

[Security]
- no CVE history
- no daemon as root
- no use of webkit1,2
- no use of lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)

But:
- does parse data formats from caller and coming back from configshell-fb
In general since this deals with setting up storage access to critical data is close.
OTOH attack surface is low as you'd need to have control of the application or the storage already.
Never the less it seems reasonable to ask security to have a look.

[Common blockers]
- builds fine atm
- unfortunately there is no test suite (neither build time nor autopkgtest)
- ubuntu-openstack is already subscribed to bugs of this
- no translations available (none needed for this case)
- dh helpers for python are used
- python2 packages present but not part of the dependency that will pull it into main

[Packaging red flags]
- no Ubuntu delta
- no symbols tracking in python to consider
- watch file is present
- Upstreams releases are not rare, but at what seems random intervals
  - Debian usually packages those quite well being up to date or one behind
  - E.g. the current release isn't packaged but the delta 1.1.25 -> 1.1.27 seems negligible so that is overall ok
- not causing problems for MOTUs
- no massive Lintian warnings
- d/rules is very small and clear
- no Built-Using
- no go package for further considerations

[Upstream red flags]
- no critical Errors/warnings during the build
- no Incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no User nobody
- no use of setuid
- No important bugs (crashers, etc) in Debian or Ubuntu going forward
  - https://bugs.launchpad.net/ubuntu/+source/python-configshell-fb/+bug/1776761 ould be nice to be SRUed I guess
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI

** Changed in: python-configshell-fb (Ubuntu)
     Assignee: Christian Ehrhardt  (paelzer) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-rtslib-fb in Ubuntu.
https://bugs.launchpad.net/bugs/1854362

Title:
  [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid

Status in ceph-iscsi package in Ubuntu:
  Confirmed
Status in python-configshell-fb package in Ubuntu:
  Confirmed
Status in python-rtslib-fb package in Ubuntu:
  Confirmed
Status in tcmu package in Ubuntu:
  Confirmed
Status in urwid package in Ubuntu:
  Confirmed

Bug description:
  == ceph-iscsi ==

  [Availability]
  In universe

  [Rationale]
  Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage.

  [Security]
  No security history found.

  [Quality assurance]
  Package runs tests during package build (submitted back to Debian).

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == tcmu ==

  [Availability]
  In universe

  [Rationale]
  Dependency for ceph-iscsi

  Handles the userspace side of the LIO TCM-User backstore allowing LIO
  to use librbd for Ceph backed block devices.

  [Security]
  Some security history:

  https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu

  All in older versions.

  [Quality assurance]
  No tests in source package for execution during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == python-configshell-fb ==

  [Availability]
  In universe

  [Rationale]
  Dependency for ceph-iscsi

  [Security]
  No security history

  [Quality assurance]
  No tests in source package for execution during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == python-rtslib-fb ==

  [Availability]
  In universe

  [Rationale]
  Dependency for ceph-iscsi

  [Security]
  No security history

  [Quality assurance]
  No tests in source package for execution during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  == urwid ==

  [Availability]
  In universe

  [Rationale]
  Dependency for python-configshell-fb

  [Security]
  No security history

  [Quality assurance]
  Tests present and executed during package build.

  [Dependencies]
  All in main or on this MIR

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list