[Bug 1430082] Re: [MIR] python-cryptography, python-cffi, pycparser, enum34

Seth Arnold 1430082 at bugs.launchpad.net
Tue Apr 14 02:01:57 UTC 2015 

I reviewed python-cryptography version 0.8-1ubuntu2 as checked into Ubuntu
vivid. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.

- python-cryptography provides a cffi interface to OpenSSL with friendly
  shims for better python integration
- Build-Depends: debhelper, dh-python, python-all-dev, python3-all-dev,
  python-setuptools, python3-setuptools, python-cffi, python3-cffi,
  python-six, python3-six, libssl-dev, python-cryptography-vectors,
  python-cryptography-vectors, python3-cryptography-vectors,
  python3-cryptography-vectors, python-iso8601, python3-iso8601,
  python-pytest, python3-pytest, python-pretend, python3-pretend,
  python-pyasn1, python3-pyasn1, python-enum34, python3-enum34
- This package provides both recipes for safe cryptography use as well as
  a hazmat namespace for raw cryptography use. This package does not
  itself daemonize or connect to the network.
- pre/post inst/rm scripts automatically generated
- No initscripts
- No dbus services
- No binaries in the path
- No setuid or setgid
- No sudo fragments
- No udev rules
- No cronjobs
- Extensive test suite with thousands of test cases run during the build
- Clean build logs

- No subprocesses are spawned
- Memory management is very complicated; Python modules implemented in C
  need to manage both the python-GC system and the C unmanaged memory
  allocations. There were instructive comments near some C implementations
  about the proper way to manage that object type's memory, but errors
  feel inevitable.
- Very few file operations itself
- Logging looked safe
- No environment variable use on Linux, looked safe on Windows
- No privileged portions of code
- Extensive cryptography, much under control of client programs
- No networking
- No temporary file handling
- No WebKit
- No javascript
- No PolicyKit

python-cryptography is intricate, involved code; Python modules and
cffi are complicated, and OpenSSL's API is dangerous at the best of
times. That said, this code looks careful -- there's good parameter
checking, asserts throughout, comments are descriptive where they are
used, documentation is good.

I did not extensively check the cryptography used; spot checks looked
fine, Fernets looked interesting.

Security team ACK for promoting python-cryptography to main.

Thanks


** Changed in: python-cryptography (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to python-cffi in Ubuntu.
https://bugs.launchpad.net/bugs/1430082

Title:
  [MIR] python-cryptography, python-cffi, pycparser, enum34

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/enum34/+bug/1430082/+subscriptions

More information about the Ubuntu-server-bugs mailing list