I reviewed pyqt5 version 5.2.1+dfsg-1ubuntu1 as checked into trusty. This is not a full security audit, but only a quick gauge of maintainability.
- pyqt5 provides python bindings for the qt library - Build-Depends: dpkg-dev, debhelper, fdupes, libdbus-1-dev, libglib2.0-dev, libgstreamer0.10-dev, libgstreamer-plugins-base0.10-dev, libicu-dev, libpulse-dev, libqt5opengl5-dev, libqt5sensors5-dev, libqt5serialport5-dev, libqt5svg5-dev, libqt5webkit5-dev, libqt5xmlpatterns5-dev, libqt5x11extras5-dev, libsqlite3-dev, libudev-dev, libxml2-dev, libxslt1-dev, python3-all-dbg, python3-all-dev, python3-dbus, python3-dbus-dbg, python3-sip-dbg, python3-sip-dev python3-sphinx, python-dbus-dev, qtdeclarative5-dev, qtmultimedia5-dev, qtlocation5-dev, qttools5-dev - No cryptography - Does not itself do networking - Does not itself daemonize - postinst and prerm cache and remove cached binaries - No initscripts - No dbus services - No setuid executables - Three binaries in /usr/bin/ - No sudo fragments - No udev rules - No test suite - No cronjobs - Some warnings in build logs, probably not a concern - Subprocesses rarely spawned, looked careful - Memory management looked so-so; most failed allocations would crash quickly, however - Files frequently manipulated, parameters supplied by callers - Logging looked safe - Environment handling looked safe - No privileged code portions - No cryptography - Does not itself do networking - No temporary files - Does use WebKit. See discussion in this bug for details. The security team cannot support any webkit packages except oxide. - Does not appear to use qtjsbackend directly - Clean cppcheck - No polkit The code looked pretty clean, if complicated; most of the complication is due to the problem being solved, though. Security team ACK for promoting pyqt5 to main -- so long as all stakeholders recognize that all webkit packages are entirely unsupported. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1301108 Title: [MIR] pyqt5 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pyqt5/+bug/1301108/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
