This should not be considered a complete security audit, but rather
a quick gauge of maintainability.
I audited python-markdown 2.3.1-1 as checked into Saucy.
- No CVE history
- Markdown's purpose is dual, first to make writing simple HTML easier,
second to provide a safe way for untrusted users to produce HTML in
web applications and elsewhere. Thus some input comes from trusted
programmers, some input comes from untrusted users.
- Build-dep python-nose, python3-nose, are used as test runners.
- Build-dep python-tidylib is used during tests
- python-markdown Suggests: the older python-utidylib for runtime use as
one extension uses it
- python3-markdown does not Suggest: python-tidylib, as no extensions use it
- No encryption, no networking, can use pygments, embeds portions of old
ElementTree codebase
- No daemons, no services, no cron jobs, no init scripts, no dbus, no sudo
- One binary, simple markdown converter
- prerm cleans up postinst
- Clean build logs
- No spawned processes
- Defensive code often checks pre-conditions
- File manipulation looks safe, encodings managed using good tools
- No special environment variable handling
- No privileged operations
- Extensive tests run during build
python-markdown looks to be written in a professional manner. The extensive
tests would lend confidence to any maintenance that may become necessary.
Security team ACK for including into main.
** Changed in: python-markdown (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187191
Title:
[MIR] python-markdown
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-markdown/+bug/1187191/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
