Marking pykmip as a won't fix - the solution we are deploying makes use
of vault which has its own rest api.
** Changed in: python-pykmip (Ubuntu)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
James, is there still interest in python-pykmip in main? This package
had some issues identified that should be fixed prior to promotion.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
** Changed in: python-pykmip (Ubuntu)
Assignee: (unassigned) => Ubuntu OpenStack (ubuntu-openstack)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
[MIR] barbican, python-pykmip
The use of:
sqlite:tmp/pykmip.database
is hardcoded, so we'll have to patch this - ideally it would be located
in /var/lib/pykmip with an appropriate user and permissions. This is
used in the native implementation only AFAICT and as such is not
considered secure, but could definitely be
Override component to main
barbican 1:3.0.0~b2-0ubuntu2 in yakkety: universe/misc -> main
barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% ->
main
barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% ->
main
barbican-api 1:3.0.0~b2-0ubuntu2 in
Needs to be seeded - sorting that out now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
[MIR] barbican, python-pykmip
To manage notifications about this bug go to:
> OpenStack Mitaka requires the barbican package.
There is no package in main which depends on barbican. It has been
promoted to main, but now is listed in components-mismatches as
requiring demotion.
http://people.canonical.com/~ubuntu-archive/component-mismatches-
proposed
What is meant to
Override component to main
barbican 1:3.0.0~b2-0ubuntu2 in yakkety: universe/misc -> main
barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety amd64: universe/net/extra/100% ->
main
barbican-api 1:3.0.0~b2-0ubuntu2 in yakkety arm64: universe/net/extra/100% ->
main
barbican-api 1:3.0.0~b2-0ubuntu2 in
please could you package a Python3 module as well? Having a Python2 only
module in main should be a no-go given that we are trying to demote
Python2.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I think we're good with barbican now; MIR approved --
Of course, this will still be blocked on the issues listed by Seth for
python-pykmip.
** Changed in: barbican (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
I reviewed python-pykmip version 0.5.0-1 as checked into Ubuntu yakkety;
this shouldn't be considered a full security audit but rather a quick
gauge of maintainability.
- I did not notice python-pykmip CVEs in our tracking database
- python-pykmip provides a standardized user interface to
Mathieu
I've pushed fixes to lp:~ubuntu-server-dev/ubuntu/+source/barbican to
resolve the majority of lintian warnings; systemd-service-file-missing-
documentation-key needs to be fixed outside of this package as systemd
configuration is automatically generated - right now every core
openstack
FTR merging with Debian is tricky; the required barbican version is in
experimental (so no merge-o-matic), and we have quite divergent views on
what a core piece of OpenStack packaging should be doing compared to the
opinion of the principle developer in the pkg-openstack team in Debian.
So
pykmip would be the principle integration library for a HSM; so I think
it does need to at-least be a Recommends; if someone is not using
pykmip, they are using the internal insecure secrets store.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
python-ldap has been demoted from main to universe since the original
request -- please ask the ubuntu-archive team to reinstate it (should
not need a MIR since it used to be in main in Wily).
I only noticed one thing I would consider a blocker:
Given that python-pykmip was a Build-Dependency, I
Alright, in light of this I need to have another look at barbican, given
that I no longer have enough state to just ACK it. I will do the
reviewing again now and respond tonight.
The Security Team has yet to assess python-pykmip.
** Changed in: barbican (Ubuntu)
Status: New => In Progress
James, thanks.
Security team ACK for promoting barbican to main.
FWIW even the "insecure" mode may be convenient enough to use the same
API vs just storing secrets in a shared filesystem. We may still
consider hypothetical weaknesses in the simple_crypto_plugin to be 'low'
as a result.
Thanks
(so yes, we do still want barbican)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
[MIR] barbican, python-pykmip
To manage notifications about this bug go to:
Hi Seth
Some feedback on your review
1) Barbican without an HSM
We'd come to the same conclusion that you did - Barbican without an HSM
is really not secure, and the built-in crypto or softhsm options are
really POC/dev use only.
>From a deployment perspective, we have charms for barbican +
I reviewed barbican version 1:2.0.0-0ubuntu1; this shouldn't be considered
a full audit, but rather a quick gauge of maintainability.
Barbican appeared to be developed to professional standards but it feels
like it's still making larger architectural decisions and I'm not sure
who the consumers
Is barbican intended for user-owned services to use? Or is it intended
solely for openstack applications to use?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
[MIR] barbican,
All of the Barbican changes have now been pushed and will be uploaded
shortly. A team bug subscriber has also been added for python-pykmip.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
python-pykmip:
- package is missing a team subscriber
- the latest version isn't packaged; 0.4.1 might have good bug fixes
- python-pykmip deals with potentially sensitive data, in that it's used to
manage crypto keys, it would benefit a security review.
Please fix add a subscriber to the
** Changed in: python-pykmip (Ubuntu)
Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1543754
Title:
[MIR] barbican, python-pykmip
24 matches
Mail list logo
