[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
** Changed in: python-xmlschema (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
After some extra checks (The -doc package will be auto-included, but has only deps to main and thereby is no problem) and confirming with Lukasz (thanks) that there is no beta-freeze-problem making this harder this is ready. None of this is left in -proposed, so only changing in -universe. Override component to main python-xmlschema 1.10.0-1 in jammy: universe/misc -> main python-xmlschema-doc 1.10.0-1 in jammy amd64: universe/doc/optional/100% -> main python-xmlschema-doc 1.10.0-1 in jammy arm64: universe/doc/optional/100% -> main python-xmlschema-doc 1.10.0-1 in jammy armhf: universe/doc/optional/100% -> main python-xmlschema-doc 1.10.0-1 in jammy i386: universe/doc/optional/100% -> main python-xmlschema-doc 1.10.0-1 in jammy ppc64el: universe/doc/optional/100% -> main python-xmlschema-doc 1.10.0-1 in jammy riscv64: universe/doc/optional/100% -> main python-xmlschema-doc 1.10.0-1 in jammy s390x: universe/doc/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy amd64: universe/python/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy arm64: universe/python/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy armhf: universe/python/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy i386: universe/python/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy ppc64el: universe/python/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy riscv64: universe/python/optional/100% -> main python3-xmlschema 1.10.0-1 in jammy s390x: universe/python/optional/100% -> main Override [y|N]? y 15 publications overridden. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
It even migrated python-xmlschema | 1.10.0-1 | jammy/universe | source This was the last missing bit (thanks Corey!). Furthmore AFAICS it is already in https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.html Blocking the transition of python3-pysaml2 | 6.1.0-0ubuntu2 | jammy| all python3-pysaml2 | 7.1.0-0ubuntu2 | jammy-proposed | all That is otherwise ok to go: python-pysaml2 (6.1.0-0ubuntu2 to 7.1.0-0ubuntu2) Migration status for python-pysaml2 (6.1.0-0ubuntu2 to 7.1.0-0ubuntu2): BLOCKED: Rejected/violates migration policy/introduces a regression Issues preventing migration: python3-pysaml2/amd64 in main cannot depend on python3-xmlschema in universe Impossible Depends: python-pysaml2 -> python3-xmlschema/1.10.0-1/amd64 Additional info: 5 days old So it is ready for promotion. And doing so does not change a feature, but it would allow python3-pysaml2 to migrate clearing excuses a bit. Since it isn't on any image I think it can be promoted now (I'll need to ask to be sure I'm not missing a secret roadblock). ** Changed in: python-xmlschema (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
New version of python3-xmlschema is now in jammy-proposed. ** Changed in: python-xmlschema (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
Thanks, summary. - MIR ack present - Security Ack present => What is still left open is the required TODO from the MIR review as identified by James "Update to latest upstream release." That would currently be 1.10 which also is in Debian testing/unstable python-xmlschema | 1.4.2-1 | stable | source python-xmlschema | 1.10.0-1 | testing| source python-xmlschema | 1.10.0-1 | unstable | source python-xmlschema | 1.4.2-1 | impish/universe | source python-xmlschema | 1.4.2-1 | jammy/universe | source uscan:=> Newer package available from https://github.com/sissaschool/xmlschema/archive/refs/tags/v1.10.0.tar.gz Publishing history indicates there was no major update since January 2021 / Hirsute, so this request is still up. https://launchpad.net/ubuntu/+source/python-xmlschema/+publishinghistory Marking incomplete until updated ** Changed in: python-xmlschema (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
I reviewed python-xmlschema 1.4.2-1 as checked into jammy. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python-xmlschema is a python package which provides XML schema support to allow XML schemas to be parsed/loaded and queried etc. It also allow XML documents to be validated against XML schema etc. - No CVE History - Interesting Build-Depends - python3-lxml, python3-elementpath - pre/post inst/rm scripts - Standard auto-generated ones from dh_python3 to compile python code on installation / delete compiled code on uninstall - No init scripts - No systemd units - No dbus services - No setuid binaries - 3 binaries in PATH - utilities to translate to/from XML and to validate XML schemas - -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-json2xml - -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-validate - -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-xml2json - No sudo fragments - No polkit files - No udev rules - unit tests / autopkgtests - unit tests run during build via dh_auto_test - unit tests also run as autopkgtests - No cron jobs - Build logs look clean - No processes spawned - Memory management is not relevant as this is python - File IO - As a library, will open files at paths specified by the caller of the library - Since documents can refer to remote resources, includes a sandbox mode so that remote resources will not be fetched / validated for local documents and vice-versa, but by default will fetch all resources - Logging is careful from what I can see - No apparent environment variable usage - No apparent use of privileged functions - No use of cryptography / random number sources etc - No use of temp files (other than during tests) - Use of networking to load remote resources via URIs - No use of WebKit - No use of PolicyKit - No significant cppcheck results - No significant Coverity results (a bunch of false positives) - No significant shellcheck results - No significant bandit results The upstream project looks quite healthy - only 5 open github issues and 247 closed ones, and the oldest open issue is from 3rd February this year. I do note that debian recently updated to 1.10.0 - should this be synced to jammy first? Is there a reason why this hasn't come already via the usual Debian sync process? Security team ACK for promoting python-xmlschema to main. ** Changed in: python-xmlschema (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
Seth, I think we have time still. Do you think this gives us enough time for Jammy? sil2100> Łukasz Zemczak coreycb: the earlier the better. As seb128 mentioned, we don't really have any hard freezes for these (besides final freeze of course), but the 'perfect goal' would be to get as much in for the beta this week as possible, so that if it's to be pulled in, it's tested as part of the Beta -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
Hi Seth, I'm not sure when the deadline is either but I asked in #ubuntu-release. I'll let you know if I hear back. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
I'm not entirely sure when the actual real for real really deadline is, but if it's monday, probably not. Sorry. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
Hello, Does the security team think this will get reviewed in time for Jammy? Thanks, Corey -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
** Changed in: python-xmlschema (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
** Changed in: python-xmlschema (Ubuntu) Milestone: None => ubuntu-22.04-feature-freeze -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
Override component to main importlib-resources 5.1.2-1 in jammy: universe/misc -> main python3-importlib-resources 5.1.2-1 in jammy amd64: universe/python/optional/100% -> main python3-importlib-resources 5.1.2-1 in jammy arm64: universe/python/optional/100% -> main python3-importlib-resources 5.1.2-1 in jammy armhf: universe/python/optional/100% -> main python3-importlib-resources 5.1.2-1 in jammy i386: universe/python/optional/100% -> main python3-importlib-resources 5.1.2-1 in jammy ppc64el: universe/python/optional/100% -> main python3-importlib-resources 5.1.2-1 in jammy riscv64: universe/python/optional/100% -> main python3-importlib-resources 5.1.2-1 in jammy s390x: universe/python/optional/100% -> main 8 publications overridden. ** Changed in: importlib-resources (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
Override component to main elementpath 2.3.0-1 in jammy: universe/misc -> main python3-elementpath 2.3.0-1 in jammy amd64: universe/python/optional/100% -> main python3-elementpath 2.3.0-1 in jammy arm64: universe/python/optional/100% -> main python3-elementpath 2.3.0-1 in jammy armhf: universe/python/optional/100% -> main python3-elementpath 2.3.0-1 in jammy i386: universe/python/optional/100% -> main python3-elementpath 2.3.0-1 in jammy ppc64el: universe/python/optional/100% -> main python3-elementpath 2.3.0-1 in jammy riscv64: universe/python/optional/100% -> main python3-elementpath 2.3.0-1 in jammy s390x: universe/python/optional/100% -> main 8 publications overridden. ** Changed in: elementpath (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
>> python-xmlschema << [Summary] MIR team +1 for promotion to main pending update to latest updates release and review from security team. Notes: autopackage test would be a nice improvement but not a blocking requirement TODO: Update to latest upstream release. Security team review [Duplication] OK: - No duplication with other packages in main. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) TODO: - does parse data formats [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - no new python2 dependency - Python package that is using dh_python Warnings: - does not have a test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is OK - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Usinga TODO: - the current release is not packaged [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: python-xmlschema (Ubuntu) Status: In Progress => New ** Changed in: python-xmlschema (Ubuntu) Assignee: James Page (james-page) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
>> elementpath << [Summary] MIR team +1 for promotion to main Notes: autopackage test would be a nice improvement but not a blocking requirement. [Duplication] OK: - No duplication with other packages in main. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - no new python2 dependency - Python package that is using dh_python Warnings: - does not have a test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: elementpath (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
>> importlib-resources << [Summary] MIR team +1 for promotion to main Notes: autopackage test would be a nice improvement but not a blocking requirement. [Duplication] This module is part of the core Python library from 3.9+ This package is simply to provide a backport for older python versions (the main use-case for which is the cloud archive for OpenStack). [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - no new python2 dependency - Python package that is using dh_python Warnings: - does not have a test suite that runs as autopkgtest [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks ** Changed in: importlib-resources (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1953363 Title: [MIR] python-xmlschema, elementpath, importlib-resources To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1953363] Re: [MIR] python-xmlschema, elementpath, importlib-resources
** Summary changed: - [MIR] python-xmlschema, elementpath + [MIR] python-xmlschema, elementpath, importlib-resources ** Also affects: importlib-resources (Ubuntu) Importance: Undecided Status: New ** Changed in: importlib-resources (Ubuntu) Assignee: (unassigned) => James Page (james-page) ** Changed in: importlib-resources (Ubuntu) Status: New => In Progress ** Description changed: [MIR] python-xmlschema [Availability] Currently in universe [Rationale] New versions of python-pysaml2 have a hard dependency on python-xmlschema. commit 3b707723dcf1bf60677b424aac398c0c3557641d from pysaml2 (https://github.com/IdentityPython/pysaml2.git) introduced the dependency on xmlschema: commit 3b707723dcf1bf60677b424aac398c0c3557641d Author: Ivan Kanakarakis Date: Sat Jan 9 00:31:13 2021 +0200 Fix CVE-2021-21238 - SAML XML Signature wrapping All users of pysaml2 that use the default `CryptoBackendXmlSec1` backend and need to verify signed SAML documents are impacted. `pysaml2 <= 6.4.1` does not validate the SAML document against an XML schema. This allows invalid XML documents to trick the verification process, by presenting elements with a valid signature inside elements whose content has been malformed. The verification is offloaded to `xmlsec1` and `xmlsec1` will not validate every signature in the given document, but only the first it finds in the given scope. Credits for the report: - Victor Schönfelder Garcia (isits AG International School of IT Security) - Juraj Somorovsky (Paderborn University) - Vladislav Mladenov (Ruhr University Bochum) Signed-off-by: Ivan Kanakarakis [Security] No security history [Quality Assurance] Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build. [Dependencies] Depends on python3-elementpath which is in universe. [Standards Compliance] FHS and Debian Policy compliant [Maintenance] Simple python package that the OpenStack Team will take care of [Background] The xmlschema library is an implementation of XML Schema for Python (supports Python 3.6+). This library arises from the needs of a solid Python layer for processing XML Schema based files for MaX (Materials design at the Exascale) European project. A significant problem is the encoding and the decoding of the XML data files produced by different simulation software. Another important requirement is the XML data validation, in order to put the produced data under control. The lack of a suitable alternative for Python in the schema-based decoding of XML data has led to build this library. Obviously this library can be useful for other cases related to XML Schema based processing, not only for the original scope. The full xmlschema documentation is available at https://xmlschema.readthedocs.io/en/latest/ - [MIR] elementpath [Availability] Currently in universe [Rationale] New versions of python3-pysaml2 have a hard dependency on python3-xmlschema, which has a hard dependency on python3-elementpath. [Security] No security history [Quality Assurance] Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build. [Dependencies] All are in main [Standards Compliance] FHS and Debian Policy compliant [Maintenance] Simple python package that the OpenStack Team will take care of [Background] Provides XPath 1.0 and 2.0 selectors for Python's ElementTree XML data structures, both for the standard ElementTree library and for the lxml.etree library. https://github.com/sissaschool/elementpath + + - + + [MIR] importlib-resources + + [Availability] + Currently in universe + + [Rationale] + New versions of python3-pysaml2 have a hard dependency on importlib-resources - this is a backport of the importlib.resources module found in Python 3.9 or later. Why do we need this module then? Well for OpenStack it will be backported to Focal which uses a pre 3.9 Python version. + + [Security] + No security history + + [Quality Assurance] + Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build. + + [Dependencies] + All are in main + + [Standards Compliance] + FHS and Debian Policy compliant + + [Maintenance] + Simple python package that the OpenStack Team will take care of -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.
