I reviewed python-django-debreach version 1.5.2-0ubuntu1 as checked into disco as of this writing. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
Django-debreach is a project that adds basic/extra mitigation against BREACH attacks for Django projects. - No CVEs registered against python-django-debreach. - Buid-depends: - debhelper (>= 10), - dh-python, - openstack-pkg-tools, - python-all, - python-setuptools, - python3-all, - python3-setuptools, - postinst and post/pre rm automatically added - No init scripts - No systemd services - No dbus services - No setuid - No binaries in PATH - No sudo fragments - No udev rules - There are 12 tests that are run during build - 11 are OK - 1 skipped: 'The CSRF token is always present in Django 1.9+' - No cron jobs - Some warnings but apparently nothing security relevant: dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-python-django-debreach-dummy dpkg-source: warning: extracting unsigned source package (python-django-debreach_1.5.2-0ubuntu1.dsc) warning: no files found matching '*.html' under directory 'debreach' warning: no files found matching '*.png' under directory 'debreach' warning: no files found matching '*.gif' under directory 'debreach' warning: no files found matching '*js' under directory 'debreach' warning: no files found matching '*jpg' under directory 'debreach' warning: no files found matching '*jpeg' under directory 'debreach' warning: no files found matching '*svg' under directory 'debreach' warning: no files found matching '*.html' under directory 'debreach' warning: no files found matching '*.png' under directory 'debreach' warning: no files found matching '*.gif' under directory 'debreach' warning: no files found matching '*js' under directory 'debreach' warning: no files found matching '*jpg' under directory 'debreach' warning: no files found matching '*jpeg' under directory 'debreach' warning: no files found matching '*svg' under directory 'debreach' dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-depends-python-django-debreach-dummy - Found some errors during source build, you guys might want to check it. Source build: dpkg-buildpackage -rfakeroot -us -uc -ui -S dpkg-buildpackage: info: source package python-django-debreach dpkg-buildpackage: info: source version 1.5.2-0ubuntu1 dpkg-buildpackage: info: source distribution disco dpkg-buildpackage: info: source changed by Corey Bryant <[email protected]> dpkg-source --before-build source_build dpkg-checkbuilddeps: error: Unmet build dependencies: debhelper (>= 10) dh-python openstack-pkg-tools python-all python-setuptools python3-all python3-setuptools dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting dpkg-buildpackage: warning: (Use -d flag to override.) debuild: fatal error at line 1152: dpkg-buildpackage -rfakeroot -us -uc -ui -S failed FAIL - No processes spawned - Minimal file IO (for package setup only) - No logging - Environment variable use on runtest.py: os.environ['PYTHONPATH'] = os.path.dirname(__file__) os.environ['DJANGO_SETTINGS_MODULE'] = 'test_project.settings' - No privileged functions - No encryption implementation, but makes use of django library for some crypto operations. middleware.py: from django.core.signing import b64_decode from django.utils.crypto import get_random_string from django.utils.encoding import force_bytes, force_text - No network operation. Has a WSGI implementation/use just for test. - No WebKit - No PolicyKit Overall code quality looks good. Security team ACK for promoting python-django-debreach to main. ** Changed in: python-django-debreach (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: python-django-debreach (Ubuntu) Status: In Progress => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1805690 Title: [MIR] python-django-debreach To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-django-debreach/+bug/1805690/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
