Hello; I reviewed python-ws4py version 0.3.4-3 as checked into Ubuntu
yakkety. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.
- No CVEs in our UCT database
- python-ws4py provides a python interface to websockets, both client and
server implementations, for pure-python stdlib, tornado, gevent, (the
client) and cherrypy, gevent, wsgiref, and asyncio (the server).
- Build-deps: debhelper, dh-python, python-all, python-cherrypy3,
python-gevent, python-mock, python-nose, python-setuptools, python-sphinx,
python-sphinxcontrib.seqdiag, python-tornado, python3-all, python3-cherrypy3,
python3-mock, python3-nose, python3-setuptools, python3-sphinx,
python3-sphinxcontrib.seqdiag, python3-tornado
- Extensive networking
- No cryptography
- Does not itself daemonize
- Can listen on network sockets
- Does not itself pick userid
- pre/post inst/rm are automatically generated
- No init scripts
- No dbus services
- Not setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- Smallish testsuite run during build; upstream uses a functional test
framework for their releases
- No cron jobs
- Mostly clean build logs with a surprising entry:
Warning: apt-key output should not be parsed (stdout is not a terminal)
- No subprocesses spawned
- Doesn't itself open files
- Light logging
- Does not itself use environment variables
- Does not itself use privileged functions
- No cryptography
- A lot of simple networking; complicated framing mechanism
- WSGI / gevent / asyncio / tornado / cherrypy
- No privileged portions of code
- No temporary files
- No WebKit
- No PolicyKit
- No JavaScript
This looked to be professionally programmed and while it touches on
complicated areas of networking protocols and browsers, itself looks clean
and straightforward. There are notes in the documentation that the wsgi
and asyncio server implementations look immature or unsuitable by design
for production use, so clients may need to be careful about which
functionality is used. Presumably clients can be smart about this.
Security team ACK for promoting python-ws4py to main.
Thanks
** Changed in: python-ws4py (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1590425
Title:
[MIR] python-ws4py
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-ws4py/+bug/1590425/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
