[Duplication] No duplication of that functionality in the Archive in general or main in particular.
[Embedded sources and static linking] This package does not contain embedded library sources. This package does not statically link to libraries. No Go package [Security] I can confirm that there seems to be no CVE/Security history for this package. It Does not: - run a daemon as root - uses old webkit - uses lib*v8 directly - open a port - uses centralized online accounts - integrates arbitrary javascript into the desktop - deals with system authentication But it does: - processes arbitrary web content - parse data formats This package is a bit odd, it is like "the remaining django extensions". Mailman doesn't use all of them so on that POV it would be rather safe. But some of the elements it contains could unfortunately be security sensitive (e.g. someone without permission gets the debugger active) :-/ Django after all is a web framework, and since this part deals with many things among others debuggers I think a security review should be done for this package. @Security team - all the mailman stack uses is django_extensions.management.jobs [1] but as explained the package can do more and unfortunately MIR is on the src level. Let me know if we should/need some sort of separation, but upstream just keeps them all together I doubt that splitting the SRC would be good either. [Common blockers] - builds fine at the moment - server Team committed to subscribe once this gets promoted (enough for now) - code is not user visible, no translation needed - dh_python is used - package produces python2 bits, but they are not pulled into main by mailman3 - utilizes build time self tests [Packaging red flags] - no current ubuntu Delta to evaluate - no library with classic symbol tracking - watch file is present - Lintian warnings are present but ok - debian/rules is rather clean - no usage of Built-Using - no golang package that would make things harder [Upstream red flags] - no suspicious errors during build (a few warnings, but nothing concerning) - it is pure python, so no incautious use of malloc/sprintf - no use of sudo, gksu - no use of pkexec - no use of LD_LIBRARY_PATH - no important open bugs - no Dependency on webkit, qtwebkit, libgoa-* - no embedded copies in upstream either [Summary] Ack from the MIR-Teams POV, but as outlined above a security review is recommended. Assigning the security Team. [1]: https://github.com/django-extensions/django- extensions/blob/master/django_extensions/management/jobs.py ** Changed in: python-django-extensions (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820215 Title: [MIR] python-django-extensions as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-extensions/+bug/1820215/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
