After evaluating dependencies, required further changes and mostly
maintainability for security and packaging it was decided there are too
many concerns - not about any single package in particular, but the
overall Mailman3 stack - about the ability to maintain and monitor it as
well as we need it
Here's the notes I took while reviewing this package:
About the source code:
uwsgi_calloc() re-introduces integer overflow bugs
cppcheck results are entirely false positives
About the debian packaging:
cdbs is unfortunate
gbp is difficult to work with
there's a huge number of binary packages
** Changed in: uwsgi (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820227
Title:
[MIR] uwsgi as dependency of
Yeah, I agree that uwsgi is a beast.
When trying alternatives (after all WSGI is supposed to be a specification)
there is a better candidate thou. gunicorn is in universe and big as well, but
we'd have src:mod-wsgi providing httpd-wsgi as well through libapache2-mod-wsgi.
And that was already
I've been reading the uwsgi documentation and code for a few hours now;
I fully concur with Mathieu's assessment.
It's amazing how much uwsgi can do. It's got plugins for a huge number
of programming environments, storage backends, logging mechanisms, RPC
mechanisms.. it goes on.
The
This is package is huge and terrible to review; I had a look at it, and
I see a couple of places where it seems like it's security sensitive. To
top that off, it's a CGI server, so obviously security sensitive in its
own right. Let's have Security review it.
** Changed in: uwsgi (Ubuntu)
Assigned to cyphermox in todays MIR Team meeting - thanks a lot for
taking a look at this!
** Changed in: uwsgi (Ubuntu)
Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
FYI: The FTBFS fix is in progress and soon resolved.
FYI: but the package is also:
a) more complex
b) more likely to be a Deny or at least extra work to be triggered
Therefore I'm on next weeks meeting passing the review of this one to a fellow
MIR team member
--
You received this bug