I reviewed golang-websocket version 0.0~git20150811.0.b6ab76f-1 as checked
into xenial. This should not be considered a full security audit.
- This package provides server-side websockets support
- Build-Depends: debhelper, dh-golang, golang-go
- Small use of cryptography in generating tokens
- sha1(16 bytes random || "258EAFA5-E914-47DA-95CA-C5AB0DC85B11")
I expect this use of sha-1 is fine
- Does not itself daemonize
- Does networking but under control of an application
- No maint scripts
- No init scripts
- No dbus services
- No setuid
- No binaries
- No sudo
- No udev
- Smallish but nice test suite run during the build
- No cronjobs
- Clean build logs
- No subprocesses spawned
- No manual memory management
- No file IO
- Logging looked fine
- No environment variables
- No privileged operations
- Only implements hashing; can be configured to not check hostname
validity of TLS sessions, seems fair
- Network input looked well-checked
- No privileged portions of code
- No temporary files
- No WebKit
- No PolicyKit
The code looks clean and clear, with tasteful comments, nice tidy test
suite.
Security team ACK for promoting golang-websocket to main. Note the
comments that suggested only the -dev package is needed.
Thanks
** Changed in: golang-websocket (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1520689
Title:
[MIR] golang-websocket-dev
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-websocket/+bug/1520689/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
