Public bug reported:
[ruby-safe-yaml]
Availability: in universe.
Rationale: dependency of puppet, which is in main.
Security: no existing security history. But this is a security sensitive
component, and perhaps needs a security review. A puppetmaster parses input
from puppet clients, and we don't want such clients to be able to compromise
the puppetmaster. CVE-2013-3567 is an example of how this can happen.
Quality assurance: simple Ruby module that becomes immediately available on
installation. No debconf prompts (in fact no maintainer scripts). No
outstanding bugs. No flags in Debian PTS. Existing tests run as part of the
package build. A gemwatch-based watch file exists.
UI standards: N/A
Dependencies: two build dependencies ruby-hashie and ruby-indentation are in
universe; MIR reports are below. All other dependencies are in main (just
standard Ruby dependencies; nothing esoteric or specific to this module).
Standards compliance: FHS and policy compliant to 3.9.4.0. The packaging looks
like boilerplate best-practice ruby packaging using debhelper (dh).
Maintenance: this is a simple Ruby module. Minimal maintenance expected, except
for the need to keep up with the latest upstream releases as it is security
sensitive. The Debian puppet maintainers have the same concerns as us here, so
I don't think this will be a problem.
Background information: this is now a dependency of puppet. I believe this
happened as a result of https://puppetlabs.com/security/cve/cve-2013-3567/.
This package was adopted into the puppet source package to fix this particular
vulnerability in Ubuntu, since the vendor switched to this upstream module. We
now need this in main so that we can depend on it.
[ruby-hashie]
Availability: in universe.
Rationale: build dependency of ruby-safe-yaml (MIR report above), which is a
dependency of puppet, which is in main.
Security: no prior security history. No security-sensitive executables. No
daemon.
Quality assurance: simple Ruby module that becomes immediately available on
installation. No debconf prompts (in fact no maintainer scripts). No existing
bugs in Ubuntu or Debian. There is a (minor) new upstream release available,
but otherwise the simplicity of the module means that little maintenance has
been needed. Existing tests run as part of the package build. A gemwatch-based
watch file exists and is working.
UI standards: N/A
Dependencies: all are in main (just standard Ruby dependencies; nothing
esoteric or specific to this module).
Standards compliance: FHS and policy compliant to 3.9.4.0. The packaging looks
like boilerplate best-practice ruby packaging using debhelper (dh).
Maintenance: this is a simple Ruby module. Minimal maintenance expected.
Background information: none.
[ruby-indentation]
Availability: in universe.
Rationale: build dependency of ruby-safe-yaml (MIR report above), which is a
dependency of puppet, which is in main.
Security: no prior security history. No security-sensitive executables. No
daemon.
Quality assurance: simple Ruby module that becomes immediately available on
installation. No debconf prompts (in fact no maintainer scripts). No existing
bugs in Ubuntu or Debian. Only one minor flag in Debian PTS. Using the latest
upstream release. I found that the existing test suite fails to run as part of
the package build, so I've filed bug 1197894 to track this. A gemwatch-based
watch file exists.
UI standards: N/A
Dependencies: all are in main (just standard Ruby dependencies; nothing
esoteric or specific to this module).
Standards compliance: FHS and policy compliant to 3.9.4.0. The packaging looks
like boilerplate best-practice ruby packaging using debhelper (dh).
Maintenance:this is a simple Ruby module. Minimal maintenance expected.
Background information: none.
** Affects: ruby-hashie (Ubuntu)
Importance: Undecided
Status: New
** Affects: ruby-indentation (Ubuntu)
Importance: Undecided
Status: Incomplete
** Affects: ruby-safe-yaml (Ubuntu)
Importance: Undecided
Status: Incomplete
** Changed in: ruby-safe-yaml (Ubuntu)
Status: New => Incomplete
** Also affects: ruby-hashie (Ubuntu)
Importance: Undecided
Status: New
** Also affects: ruby-indentation (Ubuntu)
Importance: Undecided
Status: New
** Changed in: ruby-indentation (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197896
Title:
[MIR] ruby-safe-yaml, ruby-hashie, ruby-indentation
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ruby-hashie/+bug/1197896/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
