I am almost done with my review, but won't finish until tomorrow. In the
interest of time, I thought I would comment on what I have so far:
Security review:
* No CVE history in unity-lens-photos (new) or the embedded oauth2 module. The
upstream for python-oauth2 doesn't seem particularly active with no commits
since December. That said, python-oauth2 has a comprehensive testsuite that was
not embedded in the unity-lens-photos (though, it is not enabled in the build
and there is a failing test)
* no compiled code
* embeds oauth2.py with looks like a python3 port of python-oauth2. I would
much prefer python-oauth2 be updated and promoted so that other projects could
utilize this.
* no privileged commands (sudo/su/pkexec), no /tmp files, no
initscripts/upstart jobs, no dbus system services, no setuid, fscaps or use of
sudo. no cron jobs
* no build errors or warnings
* facebook is using https (good)
* flickr: should be adjusted to use the secure api like in bug #1037169 for
account plugins.
* these are using python3-httplib2 (good) which should be doing SSL
verification by default (see bug #882027)
I can say that things look ok but that I have two conditions so far:
* flickr is updated to use the secure api
* use system python-oauth2 instead of embedding. python-oauth2 will need
packaging updates for python3, but presumably there are going to be many lenses
that build off of the online-accounts work and thus will use oauth2. Having one
python library with a testsuite that all of them can use and that the security
can support is the best solution.
** Changed in: unity-lens-photos (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1029549
Title:
[MIR] online-accounts and friends
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/account-plugins/+bug/1029549/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
