Public bug reported: [Availability]
python-distro and python3-distro are available in universe and are architecture independent. [Rationale] python3-distro is an upcoming build dependency of Azure's WALinuxAgent, which we support in main. This change is being made in advance of Python 3.7, which drops some platform detection features from the standard library. python3-distro provides these features. For details, see: https://github.com/Azure/WALinuxAgent/pull/1036 (and we have an open support case on this also) [Security] There doesn't appear to have been any CVEs reported against python- distro. There are no binaries installed, but one item on the list is "Add-ons and plugins to security-sensitive software (filters, scanners, UI skins, etc)" - as this is a python module it could end up in anything. As such, I had a quick flick through the code. The only installed python code is distro.py. The only interactions I can see it doing with the outside world are: - running lsb_release and uname through the python subprocess module. They're run through relative paths rather than absolute paths, but that might be required for cross-distro compatibility. - reading an os_release and/or other distro release file. They're opened read-only. - querying the UNIXCONFDIR environment variable. If you could manipulate the environment variables and manipulate the filesystem, you could get a different binary named uname or lsb_relase to be run. In the absence of a setuid binary I don't think that really gets you anywhere new. This ships no setuid binaries and the walinuxagent binaries don't seem to be setuid either. In short, I don't think this could be used to get anything useful. [Quality assurance] - "After installing the package it must be possible to make it working with a reasonable effort of configuration and documentation reading." The package is available to use as a python module immediately. Documentation is available in the standard Python way: >>> import distro >>> help(distro) - "The package must not ask debconf questions higher than medium if it is going to be installed by default. The debconf questions must have reasonable defaults." There are no debconf questions. - "There are no long-term outstanding bugs which affect the usability of the program to a major degree. To support a package, we must be reasonably convinced that upstream supports and cares for the package." - "The status of important bugs in Debian's, Ubuntu's, and upstream's bug tracking systems must be evaluated. Important bugs must be pointed out and discussed in the MIR report." - "The package is maintained well in Debian/Ubuntu (check out the Debian PTS)" {Upstream} Looking at https://github.com/nir0s/distro, the latest commit was 15 days ago, and there seems to be steady, albeit slow, work on the package with a view to releasing a version 2 at some point in the future. It would seem that upstream suports and cares for the package. Looking at issues at https://github.com/nir0s/distro/issues, there are no open bugs that would affect Ubuntu, and certainly no major bugs. {Debian} See https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=python-distro There is only 1 open bug, and it's a trivial documentation bug with no impact on functionality, and it's already been fixed pending upload. The only previous bug was a missing dependency on lsb-release which was fixed in 2016. {Ubuntu} See https://bugs.launchpad.net/ubuntu/+source/python-distro No bugs reported ever. - "The package should not deal with exotic hardware which we cannot support." N/A - "If the package ships a test suite, ..., it should be run during package build, and a failing test suite should fail the build." Tests are run during build with dh_auto_test. - "The package uses a debian/watch file whenever possible." debian/watch is used. - "The package should not rely on obsolete or about to be demoted packages." None. python2 is supported but not required and python3 has first class support. [UI standards] N/A; no binaries shipped. [Dependencies] The only dependencies are lsb-release and python2/3, both in main. [Standards compliance] The package is built with the standard Debian python tooling, and appears to put things in normal places. The source packaging is minimal and simple. (Having said that, I'm not a policy expert, so I'd may have missed something.) [Maintenance] This is a simple package. It appears to be well maintained in Debian, so we should be able to keep it synced with Debian. It shouldn't require any Ubuntu-specific maintenance. ** Affects: python-distro (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1768719 Title: [MIR] python-distro To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-distro/+bug/1768719/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs