[Bug 2089244] Re: [MIR] python-legacy-cgi
Christian Ehrhardt
2089244 at bugs.launchpad.net
Wed Jan 8 09:57:40 UTC 2025
Hi,
the in depth review turned up no huge surprises on top of the discussion that
already happened. One non blocking fix I submitted already.
Review for Source Package: python-legacy-cgi
[Summary]
MIR team ACK
This does not need a security review (as it is equal to what we had pre python
3.13.
List of specific binary packages to be promoted to main: python3-legacy-cgi
Specific binary packages built, but NOT to be promoted to main: -none-
Notes:
While the legacy in its name and purpose are disencouraging to add it to
main there is a track to let it go over time.
As outlined (thanks James) this is the py 3.13 support for now [1] but only a
stop gap and meant to go away once upstream worked that out (still finding
incompatibilities) [2].
[1]: https://github.com/Pylons/webob/commit/0ab3c38e62b9371ee3524711ba2f4cff82280604
[2]: https://github.com/Pylons/webob/pull/466
Required TODOs:
- none
Recommended TODOs:
- none
[Rationale, Duplication and Ownership]
There is no other package in main providing the same functionality
Used to be in stdlib but no more, retained here until all dependencies can
let go.
A team is committed to own long term maintenance of this package.
=> ubuntu-openstack is already subscribed
The rationale given in the report seems valid and useful for Ubuntu (but only
for a while, we all expect this to be let go at some point)
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems: None
[Security]
OK:
- history of CVEs does not look concerning (for something handling requests
it was quite low, and now it changed to its legacy form being only fixes
but no features which should make the future have a diminishing number)
- does not run a daemon as root (runs as whatever it is used in, but itself does not define either)
- does not use webkit1,2
- does not use lib*v8 directly
- does not expose any external endpoint (port/socket/... or similar)
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates,
signing, ...)
- this makes appropriate (for its exposure) use of established risk
mitigation features (AFAICS Only the programs using it could know and do so)
Problems:
- does parse data formats, but as mentioned did so for years as part of the
python stdlib and is thereby rather well analyzed already. No new scan of
the same needed IMHO.
[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest via pybuild-autopkgtest
- This does not need special HW for build or test
- no new python2 dependency
- Python package, but using dh_python
Problems: None
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- Upstream update history is too new to judge based on that
- Debian/Ubuntu update history is too new to judge based on that
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
maintained the package
- no massive Lintian warnings
- debian/rules is rather clean
- It is not on the lto-disabled list
Problems: None
- debian/watch is present, but it fails to deliver anything useful
explaining what I want would take about as long as doing it and this isn't
a critical blocker. So I submitted [3] and consider this imperfect but ok to
go on.
[3]: https://salsa.debian.org/python-team/packages/python-legacy-
cgi/-/merge_requests/1
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (the language has no direct MM)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
tests)
- no use of user nobody
- no use of setuid / setgid
- no important open bugs (crashers, etc) in Debian or Ubuntu (but almost too
new to use that as indication)
- no dependency on webkit, qtwebkit or libseed
- not part of the UI for extra checks
- no translation present, but none needed for this case (dev lib only)
Problems: None
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-legacy-cgi in Ubuntu.
https://bugs.launchpad.net/bugs/2089244
Title:
[MIR] python-legacy-cgi
Status in python-legacy-cgi package in Ubuntu:
Fix Released
Bug description:
[Availability]
The package python-legacy-cgi is already in Ubuntu universe.
The package build for the architectures it is designed to work on.
It currently builds and works for architectures: all
Link to package https://launchpad.net/ubuntu/+source/python-legacy-cgi
Upstream project: https://pypi.org/project/legacy-cgi/
[Rationale]
- The package python-legacy-cgi is a new runtime dependency of package python-webob that
we already support
- The package provides the 'cgi' module that was part of the Python stdlib prior to Python 3.13
- The long term approach should be to re-write libraries and apps to not use CGI, moving
to alternative WSGI based frameworks - this package buys some time for upstream projects to
complete this work - webob looks like it will transition for the 2.x release.
[Security]
As this module was part of the core Python stdlib searched for python + cgi instead:
- No CVEs/security issues in this software in the past
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python+cgi
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Packages does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/python-legacy-cgi/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=python-legacy-cgi
- Upstream's bug tracker, e.g., GitHub Issues
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it makes the build fail, link to build log TBD
- The package runs an autopkgtest, and is currently passing on
this !i386 list of architectures, link to test logs
https://autopkgtest.ubuntu.com/packages/python-legacy-cgi/plucky/amd64
- The package does have not failing autopkgtests right now
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package:
https://launchpad.net/ubuntu/+source/python-legacy-cgi/2.6.1-2/+build/29268376
- Lintian overrides are not present
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging and build is easy, link to debian/rules:
https://git.launchpad.net/ubuntu/+source/python-legacy-cgi/tree/debian/rules
[UI standards]
- Application is not end-user facing (does not need translation)
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be ubuntu-openstack and I have their acknowledgement for
that commitment
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on launchpad: https://launchpad.net/ubuntu/+source/python-legacy-cgi/2.6.1-2/+build/29268376
[Background information]
This package is a fork of the cgi and cgitb modules that formed part of the stdlib until Python 3.13.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-legacy-cgi/+bug/2089244/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list