- No bug report in Debian; very calm Debian maintenance, there's a much newer
upstream version 0.5 which didn't get packaged.
- Two non-critical bug reports in Ubuntu, one is fixed upstream in 0.5.
- Version 0.5 indeed looks a lot better, as it removes a lot of code
duplication and uses more existing libraries (like libgnome-keyring). This
version should be packaged first.
- Relatively small package, most of which is glue code.
- The main problem that I see here is that it's handling a lot of passwords,
and doesn't use any kind of mlock()-like protection anywhere. So passwords are
copied around a lot and get easily written to disk unencrypted, once this gets
into swap.
- No i18n or usability issues, it's a backend library.
- Not actively maintained in Ubuntu.
Aside from this, it needs to be investigated what launchpadlib now does
with this module. Previously it stored its cookie files on disk in
~/.launchpadlib.., and it seems this change will not only break the
existing credentials files, but might also cause trouble with using
launchpadlib on servers, where no native keyring servers are available.
python-keyring has its own native implementation using python-crypto
(Recommends:, already in main), but I haven't reviewed this for
security. Perhaps Kees can take a look at this?
** Also affects: launchpadlib
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/686257
Title:
MIR needed (dependency of python-launchpadlib)
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
