I reviewed uvloop version 0.8.1+ds1-1 as checked into bionic. This
shouldn't be considered a full security audit but rather a quick gauge
of maintainability.
- uvloop provides a thin shim around libuv1 for Python asyncio
programming.
- No CVE history in our database
- Build-Depends: debhelper, dh-python, libuv1-dev, cython3,
python3-all-dev, python3-all-dbg, python3-setuptools, python3-pytest,
python3-aiohttp,
- Does not do cryptography
- Does extensive networking
- Does not daemonize
- pre/post inst/rm sections auto-generated
- No initscript / systemd unit files
- No dbus services
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- Tests run during the build; scope not investigated
- No cronjobs
- Some build warnings, slightly messier than one might expect
- Does not itself spawn subprocesses, but provides wrappers for programs,
including unsafe versions.
- Memory management looked careful
- Does not itself open files
- Error logging looked careful
- Uses PYTHONASYNCIODEBUG variable to control debugging
- Does not itself do cryptography
- Extensive networking, but mostly as a thin shim to libuv1
- No privileged portions of code visible
- No temporary files
- No WebKit use
- No JavaScript use
- No PolicyKit use
I've never read code quite like this before: it's not just Python, it's
not just C to implement a Python module. A recent bugfix to address UDP
problems threw away the libuv1 bindings that had been used and re-wrote
functionality -- changes of this scope would be very difficult for us to
implement ourselves.
However, the code appears to be professionally programmed. Errors are
handled or reported and comments are high-quality.
Security team ACK for promoting uvloop to main.
Thanks
** Changed in: uvloop (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1745483
Title:
[MIR] uvloop
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/uvloop/+bug/1745483/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
