I reviewed python-aiosmtpd version 1.2-3 as checked into eoan as of this writing.
This shouldn't be considered a full audit but rather a quick gauge of maintainability. python-aiosmtpd is an asyncio based SMTP server. - Last commit from March - No CVE history - Build-depends: - debhelper, - dh-python, - openssl, - python3-all, - python3-docutils, - python3-setuptools, - python3-sphinx - postinst and prerm added automatically - No init scripts - No systemd services - No DBus services - No setuid - Binaries in PATH: /usr/bin/aiosmtpd - No sudo fragments - No udev rules - Some tests under aiosmtpd/tests/ - FTBS in debian (from 2017). A test randomly fails, seems to be related to a possible race condition in test code. See: https://github.com/aio-libs/aiosmtpd/issues/133 - test SMTP protocol - test SMTP over SSL/TLS - test server implementation - test LMTP protocol - No cron jobs - A lot of warnings in the build log: - Most warnings are about doc files - Some warnings that might be relevant to someone: test_message (aiosmtpd.tests.test_handlers.TestAsyncMessage) ... /<<PKGBUILDDIR>>/.pybuild/cpython3_3.7_aiosmtpd/build/aiosmtpd/controller.py:64: PendingDeprecationWarning: Task.all_tasks() is deprecated, use asyncio.all_tasks() instead test_setuid (aiosmtpd.tests.test_main.TestMain) ... /usr/lib/python3.7/asyncio/base_events.py:623: ResourceWarning: unclosed event loop <_UnixSelectorEventLoop running=False closed=False debug=False> ResourceWarning: Enable tracemalloc to get the object allocation traceback test_quit_with_arg (aiosmtpd.tests.test_smtp.TestSMTP) ... /usr/lib/python3.7/socket.py:660: ResourceWarning: unclosed <socket.socket fd=7, family=AddressFamily.AF_INET6, type=SocketKind.SOCK_STREAM, proto=6, laddr=('::1', 33640, 0, 0), raddr=('::1', 8025, 0, 0)> ResourceWarning: Enable tracemalloc to get the object allocation traceback - No subprocess spawned - File IO only in setup_helpers.py (helper functions for setup.py). Path to file hardcoded in setup.py and conf.py. - Not so much logging done, mainly in smtp.py - uses logging module for logging debug and info messages - uses warnings module for logging warnings - apparently no logging in case of errors - Environment variable - make use of AIOSMTPD_CONTROLLER_TIMEOUT environment variable, expecting a float number - if variable not set, falls back to default '1.0' - no sanitization of input, but if a float number is not passed, will trigger exception - setuid() server to 'nobody' user. This shouldn't be done, 'nobody' should be strictly used for NFS. - Encryption - make use of SSL/TLS - Networking - SMTP server listens on a port specified on command line, or default port 8025. - No WebKit - No polkit - No shell scripts - No coverity issues This is not an ACK or a NACK, we will keep waiting on the setuid to 'nobody' issue. ** Bug watch added: github.com/aio-libs/aiosmtpd/issues #133 https://github.com/aio-libs/aiosmtpd/issues/133 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820212 Title: [MIR] python-aiosmtpd as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-aiosmtpd/+bug/1820212/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
