[Duplication] This is part of the six core packages of mailman3 that pull in further components as needed. Since this represents mailman doing mailing list processing there is a duplication to mailman2. But the intention is to stop seeding mailman2 as soon as mailman3 got promoted.
[Embedded sources and static linking] This package does not contain embedded library sources. This package doe not statically link to libraries. No Go package [Security] I can confirm that there seems to be no CVE/Security history for this package. But there is enough for mailman2 (and a bit for 3) that we should expect not (much) less in the future when it becomes more widely used. => https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mailman It Does not: - run a daemon as root - uses old webkit - uses lib*v8 directly - open a port - integrates arbitrary javascript into the desktop - deals with system authentication - uses centralized online accounts - processes arbitrary web content - parse data formats This is the overarching element that pulls together Mailman3 Postorius HyperKitty and UWSGI to provide the mailman3 services on the web. It actually doesn't do anything on its own, but depends on the right packages and provides a WSGI config for hyperkitty. It also contains all the default settings for those, therefore I'll mark it for security review as well. Less for the package itself, but for its role in regard to the other more exposed components. [Common blockers] - builds fine at the moment - server Team committed to subscribe once this gets promoted (enough for now) - code is not user visible, no translation needed - dh_python is used - package produces python2 bits, but they are not pulled into main by mailman3 - No tests for itself, but this is mostly integrating other components which are all having autopkgtests as reverse deps [Packaging red flags] - no current ubuntu Delta to evaluate - no library with classic symbol tracking - watch file is present - Lintian warnings are present bug ok - debian/rules is rather clean - no usage of Built-Using - no golang package that would make things harder [Upstream red flags] - no suspicious errors during build - it is pure python, so no incautious use of malloc/sprintf - no use of sudo, gksu - no use of pkexec - no use of LD_LIBRARY_PATH - no important open bugs - no Dependency on webkit, qtwebkit, libgoa-* - no embedded copies in upstream either [Summary] Ack from the MIR-Teams POV, but as outlined above a security review is recommended. Assigning the security Team. ** Changed in: mailman-suite (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820206 Title: [MIR] mailman-suite as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mailman-suite/+bug/1820206/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
