I reviewed python-nacl version 1.1.2-1build1 as checked into bionic. This isn't a full security audit but rather a quick gauge of maintainability.
- No CVEs in our database - python-nacl is a shim to the libsodium library - Build-Depends: debhelper, dh-python, libsodium-dev, python-all-dev, python-cffi, python-pytest, python-setuptools, python-six, python3-all-dev, python3-cffi, python3-pytest, python3-setuptools, python3-six, python3-sphinx, - Does not daemonize - pre/post inst/rm scripts automatically generated - No init scripts - No systemd unit / service files - No DBus services - No setuid files - No binaries in main - No sudo fragments - No udev rules - Large test suite run during the build - No cron jobs - Build logs have an error that seems to indicate an attempt to build documentation based on network-reached assets: > loading intersphinx inventory from http://docs.python.org/objects.inv... > WARNING: failed to reach any of the inventories with the following issues: > WARNING: intersphinx inventory 'http://docs.python.org/objects.inv' not fetchable due to <class 'requests.exceptions.ProxyError'>: ('intersphinx inventory %r not fetchable due to %s: %s', 'http://docs.python.org/objects.inv', <class 'requests.exceptions.ProxyError'>, ProxyError(...)) > - No subprocesses spawned - No file IO - Memory management looked careful - Logging looked careful - No environment variable use - Extensive cryptography -- but all wrappers - No privileged functions - No privileged portions of code - No temporary files - No WebKit use - No JavaScript use - No JavaScript use - No PolicyKit use python-nacl is straight-forward FFI shim with good error checking and a test suite with over 4000 tests. (I didn't inspect the tests, but it surely sounds promising.) Security team ACK for promoting python-nacl to main. Thanks ** Changed in: python-nacl (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to protobuf in Ubuntu. https://bugs.launchpad.net/bugs/1747460 Title: [MIR] py-macaroon-bakery, protobuf, pyrfc3339 Status in protobuf package in Ubuntu: Invalid Status in py-macaroon-bakery package in Ubuntu: Fix Released Status in pyrfc3339 package in Ubuntu: Fix Released Status in python-nacl package in Ubuntu: Incomplete Bug description: py-macaroon-bakery ================== 1. Availability: all 2. Rationale: Macaroons is a new form of authorization mechanism. The macaroon bakery builds on pymacaroons, which allows it working at a higher level. In order for MAAS (and other projects) to support macaroon based authentication, this needs to be in main. This will allow projects to support remote/centralized authentication based on macaroons. 3. Security: No CVE's 4. QA: 0 bugs in debian/ubuntu 5. UI standards: None 6. Dependencies: Dependencies in universe: - python3-pymacaroons (MIR LP: #1746772) - python3-nacl - python3-protobuf - python3-rfc3339 7. Standards: No lintian errors. Packaged with debhelper. Source format is 3.0 (quilt) Standards version: 4.4.1 8. Maintenance: Easy. 9. Background information: This is a required dependency to implement third party/centralized authentication alongside with pymacaroons. This is a new dependency that's required by MAAS. python3-protobuf ================== 1. Availability: any 2. Rationale: Dependency of python3-macaroonbakery. The library from this same source package, libprotobuf10, is already in main. 3. Security: No CVE's 4. QA: protobuf source, 10 bugs in debian, 11 ubuntu 5. UI standards: None 6. Dependencies: All in main 7. Standards: No lintian errors. Packaged with debhelper. Source format is 3.0 (quilt) Standards version: 3.9.8 8. Maintenance: Easy. 9. Background information: protobuf source already has binaries in main. This is just the python bindings that are required by macaroonbakery. rfc3339 ================== 1. Availability: all 2. Rationale: Dependency of python3-macaroonbakery. 3. Security: No CVE's 4. QA: 0 bugs in debian/ubuntu 5. UI standards: None 6. Dependencies: All in main 7. Standards: No lintian errors. 1 warning: W: pyrfc3339 source: ancient-standards-version 3.9.6 (released 2014-09-17) (current is 4.1.3) Packaged with debhelper. Source format is 3.0 (quilt) 8. Maintenance: Easy. 9. Background information: Parser and generator of RFC 3339-compliant timestamps. This is a dependency for python3-macaroonbakery. python-nacl ================== 1. Availability: any 2. Rationale: Dependency of python3-macaroonbakery. 3. Security: No CVE's 4. QA: 0 bugs in debian/ubuntu 5. UI standards: None 6. Dependencies: All in main 7. Standards: No lintian errors. Uses standards version 3.9.8 Packaged with debhelper. Source format is 3.0 (quilt) 8. Maintenance: Easy. 9. Background information: PyNaCl is a Python binding to the Networking and Cryptography library. This is a dependency for python3-macaroonbakery. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/protobuf/+bug/1747460/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
