[Duplication]
This is part of the six core packages of mailman3 that pull in further
components as needed.
Since this represents mailman doing mailing list processing there is a
duplication to mailman2.
But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
But there is enough for mailman2 (and a bit for 3) that we should expect not
(much) less in the future when it becomes more widely used.
=> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- integrates arbitrary javascript into the desktop
- deals with system authentication
- uses centralized online accounts
- parse data formats
But it does:
- processes arbitrary web (actually mail) content
The archiver is pluggable, this is the plugin to link up hyperkitty (the
default official archiver) with mailman3.
And while it justs hands over the mails those elements are often neglected and
end up being the insecure ones.
A security review is recommended on this package.
[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- no build time tests, but tests run as autopkgtest (as they need services up)
[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build
- a few deprectation warnings e.g. collections.abc that will die with python
3.8, but those are all actually from packages it depends on. I'm pretty sure
they will adopt over time (alembic, sqlalchemy, urllib3, lazr) only urllib3 is
the one dying with 3.8
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is
recommended.
Assigning the security Team.
** Changed in: mailman-hyperkitty (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820205
Title:
[MIR] mailman-hyperkitty as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mailman-hyperkitty/+bug/1820205/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs