Public bug reported: [ruby-safe-yaml] Availability: in universe. Rationale: dependency of puppet, which is in main. Security: no existing security history. But this is a security sensitive component, and perhaps needs a security review. A puppetmaster parses input from puppet clients, and we don't want such clients to be able to compromise the puppetmaster. CVE-2013-3567 is an example of how this can happen. Quality assurance: simple Ruby module that becomes immediately available on installation. No debconf prompts (in fact no maintainer scripts). No outstanding bugs. No flags in Debian PTS. Existing tests run as part of the package build. A gemwatch-based watch file exists. UI standards: N/A Dependencies: two build dependencies ruby-hashie and ruby-indentation are in universe; MIR reports are below. All other dependencies are in main (just standard Ruby dependencies; nothing esoteric or specific to this module). Standards compliance: FHS and policy compliant to 3.9.4.0. The packaging looks like boilerplate best-practice ruby packaging using debhelper (dh). Maintenance: this is a simple Ruby module. Minimal maintenance expected, except for the need to keep up with the latest upstream releases as it is security sensitive. The Debian puppet maintainers have the same concerns as us here, so I don't think this will be a problem. Background information: this is now a dependency of puppet. I believe this happened as a result of https://puppetlabs.com/security/cve/cve-2013-3567/. This package was adopted into the puppet source package to fix this particular vulnerability in Ubuntu, since the vendor switched to this upstream module. We now need this in main so that we can depend on it.
[ruby-hashie] Availability: in universe. Rationale: build dependency of ruby-safe-yaml (MIR report above), which is a dependency of puppet, which is in main. Security: no prior security history. No security-sensitive executables. No daemon. Quality assurance: simple Ruby module that becomes immediately available on installation. No debconf prompts (in fact no maintainer scripts). No existing bugs in Ubuntu or Debian. There is a (minor) new upstream release available, but otherwise the simplicity of the module means that little maintenance has been needed. Existing tests run as part of the package build. A gemwatch-based watch file exists and is working. UI standards: N/A Dependencies: all are in main (just standard Ruby dependencies; nothing esoteric or specific to this module). Standards compliance: FHS and policy compliant to 3.9.4.0. The packaging looks like boilerplate best-practice ruby packaging using debhelper (dh). Maintenance: this is a simple Ruby module. Minimal maintenance expected. Background information: none. [ruby-indentation] Availability: in universe. Rationale: build dependency of ruby-safe-yaml (MIR report above), which is a dependency of puppet, which is in main. Security: no prior security history. No security-sensitive executables. No daemon. Quality assurance: simple Ruby module that becomes immediately available on installation. No debconf prompts (in fact no maintainer scripts). No existing bugs in Ubuntu or Debian. Only one minor flag in Debian PTS. Using the latest upstream release. I found that the existing test suite fails to run as part of the package build, so I've filed bug 1197894 to track this. A gemwatch-based watch file exists. UI standards: N/A Dependencies: all are in main (just standard Ruby dependencies; nothing esoteric or specific to this module). Standards compliance: FHS and policy compliant to 3.9.4.0. The packaging looks like boilerplate best-practice ruby packaging using debhelper (dh). Maintenance:this is a simple Ruby module. Minimal maintenance expected. Background information: none. ** Affects: ruby-hashie (Ubuntu) Importance: Undecided Status: New ** Affects: ruby-indentation (Ubuntu) Importance: Undecided Status: Incomplete ** Affects: ruby-safe-yaml (Ubuntu) Importance: Undecided Status: Incomplete ** Changed in: ruby-safe-yaml (Ubuntu) Status: New => Incomplete ** Also affects: ruby-hashie (Ubuntu) Importance: Undecided Status: New ** Also affects: ruby-indentation (Ubuntu) Importance: Undecided Status: New ** Changed in: ruby-indentation (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1197896 Title: [MIR] ruby-safe-yaml, ruby-hashie, ruby-indentation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ruby-hashie/+bug/1197896/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs