[Duplication]
No duplication of that functionality in the Archive in general or main in
particular.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package does not statically link to libraries.
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- open a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- parse data formats
But it does:
- deals with system authentication
- processes arbitrary web content
This is the gravatar integration for django.
While it isn't the component that does the authnetication it is still tied into
identity management in general.
Django after all is a web framework, and since this part deals with security
sensitive details I think a security review should be done for this package.
[Common blockers]
- builds fine at the moment
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not directly user visible (gravatar urls not the UI), no translation
needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
- utilizes (rather trivial) smoke test as autopkgtest.
Not perfect but ok
- utilizes no build time self tests
[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present but ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build (a few warnings, but nothing concerning)
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
[Summary]
Ack from the MIR-Teams POV, but as outlined above a security review is
recommended.
Assigning the security Team.
** Changed in: python-django-gravatar2 (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820216
Title:
[MIR] python-django-gravatar2 as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-django-gravatar2/+bug/1820216/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
