[Bug 1349868] Re: [MIR] new build dependencies for ceilometer

[Seth Arnold]

I reviewed python-pysnmp4 version 4.2.5-1 as checked into utopic. This
should not be considered a full security audit, but rather a quick gauge
of code maintainability.

- python-pysnmp provides a pure-python implementation of snmp
- Build-Depends: debhelper (>= 5.0.37.2), cdbs, python-all, python3-all,
  python-setuptools, python3-setuptools, python-crypto, python3-crypto
- Depends: smitools
- Recommends: python-crypto, python-pysnmp4-mibs, python-pysnmp4-apps,
  python-twisted
- Does use encryption
- Does use networking
- Uses smitools, thus libsmi
- Can be added to other applications via twisted, asyncore
- Does not itself daemonize
- No pre/post inst/rm scripts
- No initscripts
- No dbus
- No setuid
- No sudo fragments
- No udev rules
- No cron jobs
- Adds libsmi2pysnmp and build-pysnmp-mib binaries
- Clean build logs

- No subprocesses spawned
- Python, no real memory management
- Only file operation is read-only
- Logging looked safe
- No use of environment variables
- No privileged operations
- Does use cryptography, SNMP-standards-specified use of MD5, DES, 3DES,
  AES, SHA-1, etc. I didn't investigate further, mechanisms all
  standardized
- Extensive networking, looked to be well-managed
- No privileged portions of code
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit

The code is complicated, though references to relevant RFC sections
abound in much of the code. It all seemed straight-forward enough,
considering the complexity of SNMP.

Security team ACK for promoting python-pysnmp4 to main.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1349868

Title:
  [MIR] new build dependencies for ceilometer

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libsmi/+bug/1349868/+subscriptions