Hello; I reviewed python-ws4py version 0.3.4-3 as checked into Ubuntu yakkety. This shouldn't be considered a full security audit but rather a quick gauge of maintainability.
- No CVEs in our UCT database - python-ws4py provides a python interface to websockets, both client and server implementations, for pure-python stdlib, tornado, gevent, (the client) and cherrypy, gevent, wsgiref, and asyncio (the server). - Build-deps: debhelper, dh-python, python-all, python-cherrypy3, python-gevent, python-mock, python-nose, python-setuptools, python-sphinx, python-sphinxcontrib.seqdiag, python-tornado, python3-all, python3-cherrypy3, python3-mock, python3-nose, python3-setuptools, python3-sphinx, python3-sphinxcontrib.seqdiag, python3-tornado - Extensive networking - No cryptography - Does not itself daemonize - Can listen on network sockets - Does not itself pick userid - pre/post inst/rm are automatically generated - No init scripts - No dbus services - Not setuid - No binaries in PATH - No sudo fragments - No udev rules - Smallish testsuite run during build; upstream uses a functional test framework for their releases - No cron jobs - Mostly clean build logs with a surprising entry: Warning: apt-key output should not be parsed (stdout is not a terminal) - No subprocesses spawned - Doesn't itself open files - Light logging - Does not itself use environment variables - Does not itself use privileged functions - No cryptography - A lot of simple networking; complicated framing mechanism - WSGI / gevent / asyncio / tornado / cherrypy - No privileged portions of code - No temporary files - No WebKit - No PolicyKit - No JavaScript This looked to be professionally programmed and while it touches on complicated areas of networking protocols and browsers, itself looks clean and straightforward. There are notes in the documentation that the wsgi and asyncio server implementations look immature or unsuitable by design for production use, so clients may need to be careful about which functionality is used. Presumably clients can be smart about this. Security team ACK for promoting python-ws4py to main. Thanks ** Changed in: python-ws4py (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1590425 Title: [MIR] python-ws4py To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-ws4py/+bug/1590425/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs