Security review:
- No CVE history
- No compiled code
- Thankfully, already patches to use the system ca-certificates and supports
use of https. I verified that certificate verification is happening by default
(yeah!). It even does hostname mismatch checking
- As Michael said, should not use an embedded urllib3
- This is just a python library with no initscripts/upstart jobs, dbus
services, setuid/setgid, fscaps/sudo/pkexec/su usage or cron jobs.
HTTPDigestAuth doesn't seem fully implemented yet. Oauth is using
python-oauthlib, which is good. Code is clean and looks supportable.
Note that python-urllib3 will have to be promoted to main. While it
didn't affect this MIR, it was not doing certificate verification by
default (LP: #1047054). I fixed this and forwarded to Debian.
Conditional ACK provided embedded urllib3 is ignored and system python-
urllib3 is used instead.
** Changed in: requests (Ubuntu)
Assignee: Jamie Strandboge (jdstrand) => Chuck Short (zulcss)
** Changed in: requests (Ubuntu)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1011627
Title:
[MIR] python-requests
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/requests/+bug/1011627/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
