I reviewed pyjwt 0.2.1-1 as included in vivid via a sync from Debian. - CVE history: no known CVEs as of time of review - PyJWT provides a JSON Web Token implementation in python (2 & 3). - Crypto dependencies: depends on hashlib and hmac, and PyCrypto for RSA. - no daemons - pre/post inst/rm scripts: standard generated dh_python scripts - no init scripts - no dbus services - no setuid executables - Provides jwt and jwt3 binaries - no sudo fragments - no udev rules - test suite: upstream has a test suite, but it's not included in the orig tarball. This looks to have been an upstream issue: https://github.com/jpadilla/pyjwt/issues/36. Would be preferred to have a newer version that includes the upstream tests and have them run at build time (if possible). - no cron jobs - I didn't see any subprocesses being spawned - no file operations, everything passed as either function arguments or (for the binaries), command line arguments. - no environment use - no logging is done, either exceptions are raised or messages sent to stdout via print() - no privileged operations - Crypto only does signature generation or verification, and uses hashlib or pycrypto functions to do so, avoiding most TLS issues. - Code does no handling of networking directly, is presumably handed json from network services. - no temporary file handling
Packaging - no Ubuntu delta - no team is subscribed to package bugs - the package has a debian watch file, but is currently broken and probably needs to be updated per https://wiki.debian.org/Python/LibraryStyleGuide#debian.2Fwatch or reference the github releases directly - upstream releases seem to be relatively frequent and upstream appears responsive to bug reports. - debian package has had only one upload, 0.2.1-1, which lags the current upstream version (0.4.2 as of time of review). - no lintian warnings - debian/rules is straightforward and uses dh_python + pybuild. - no open bugs in Debian BTS or Launchpad (besides this MIR). One packaging issue is that for an implementation to conform with http://self-issued.info/docs/draft-jones-json-web-token-01.html, it needs to support RSA signatures; however, pyjwt will not do so unless python-crypto is installed, and there are no Depends:, Recommends:, or Suggests: on the python-crypto packages. The codebase is small: the python library consists of one file with a second for the binary driver. I'm not really happy that the debian package is lagging so far behind the upstream releases; a bunch of refactoring has occurred that may make backporting security issues more difficult, though the codebase is small and simple enough such that it shouldn't be a non-starter. Also, the more recent releases do a bit more sanity checking to ensure inputs are valid, though nothing that looks security sensitive. Also, the v0.4.0 upstream release includes a switch to using python-cryptography. The listed reasons for doing so are that its a more actively maintained upstream and has performance improvements; the downside for Ubuntu is that it also would need a MIR. Security team ACK for promoting to main. ** Changed in: pyjwt (Ubuntu) Assignee: Steve Beattie (sbeattie) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1427852 Title: [MIR] pyjwt (b-d of python-oauthlib) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pyjwt/+bug/1427852/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
