[Bug 1820205] Re: [MIR] mailman-hyperkitty as dependency of mailman3

[Christian Ehrhardt ]

After evaluating dependencies, required further changes and mostly
maintainability for security and packaging it was decided there are too
many concerns - not about any single package in particular, but the
overall Mailman3 stack - about the ability to maintain and monitor it as
well as we need it for support in main.

We have closed the primary LP bug already, the MIRs that are already approved 
will stay that way, but we will make no seed change to pull things in for now. 
Yet if other needs come up for those they have a prepared MIR already.
Other bugs - like this one - which are not yet completed in terms of review 
will be closed as Won't Fix.

Even thou it ended being aborted, I think that is a valid outcome of the
MIR evaluations. Never the less I want to thank everybody involved for
all the work spent in what was nearly a year working through these MIRs.

** Changed in: mailman-hyperkitty (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820205

Title:
  [MIR] mailman-hyperkitty as dependency of mailman3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman-hyperkitty/+bug/1820205/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820205] Re: [MIR] mailman-hyperkitty as dependency of mailman3

[Seth Arnold]

** Changed in: mailman-hyperkitty (Ubuntu)
 Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820205

Title:
  [MIR] mailman-hyperkitty as dependency of mailman3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman-hyperkitty/+bug/1820205/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1820205] Re: [MIR] mailman-hyperkitty as dependency of mailman3

[Christian Ehrhardt ]

[Duplication]
This is part of the six core packages of mailman3 that pull in further 
components as needed.
Since this represents mailman doing mailing list processing there is a 
duplication to mailman2.
But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE/Security history for this package.
But there is enough for mailman2 (and a bit for 3) that we should expect not 
(much) less in the future when it becomes more widely used.
=> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman

It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- parse data formats

But it does:
- processes arbitrary web (actually mail) content

The archiver is pluggable, this is the plugin to link up hyperkitty (the 
default official archiver) with mailman3.
And while it justs hands over the mails those elements are often neglected and 
end up being the insecure ones.
A security review is recommended on this package.

[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- no build time tests, but tests run as autopkgtest (as they need services up)

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder

[Upstream red flags]
- no suspicious errors during build
  - a few deprectation warnings e.g. collections.abc that will die with python 
3.8, but those are all actually from packages it depends on.  I'm pretty sure 
they will adopt over time (alembic, sqlalchemy, urllib3, lazr) only urllib3 is 
the one dying with 3.8
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is 
recommended.
Assigning the security Team.


** Changed in: mailman-hyperkitty (Ubuntu)
 Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820205

Title:
  [MIR] mailman-hyperkitty as dependency of mailman3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman-hyperkitty/+bug/1820205/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs