I reviewed python-itsdangerous version 0.17-1 from saucy. This should
not be considered a full security audit, but rather a quick gauge of
code cleanliness.
- Package provides a message authentication code to validate data,
most likely to be used for storing data in client-controlled cookies.
- Build-deps usual Python tools
- Does not use encryption; uses SHA1 and HMAC. Pluggable to use
any Python-available hashing function. Can use zlib.
- No networking, no daemons, does not itself listen on network, no
init scripts, no dbus services, no setuid, no binaries, no sudo,
no cron jobs
- Clean build logs
- No subprocesses
- Very few routines read/write files; very simple duck-typing is used
in the few cases that can handle files.
- No logging
- No environment variables
- No privileged code execution
- No encryption -- only simple hashing constructions are used.
- Does not itself perform networking
- No /tmp/ files
- No webkit, JS
The code is well-written and clean.
Security team ACK for including into main.
Thanks
** Changed in: python-itsdangerous (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1196965
Title:
[MIR] python-itsdangerous (b-d of flask)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-itsdangerous/+bug/1196965/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
