I reviewed python3-openid version 3.1.0-1 as checked into disco as of this writing. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
python3-openid is a set of python packages to support use of the OpenID decentralized identity system in your application. - No development or commit in the last 2 years. Some open issues but only one might get us worried. An user asks if python 3.7 is supported (which is the current version of python in disco). There's not much info if user saw an issue when running with python 3.7. https://github.com/necaris/python3-openid/issues/39 - No CVE history - Build-depends: - dh-python, - python3-all, - python3-setuptools - postinst and prerm added automatically - No init scripts - No dbus services - No setuid - No binaries in PATH - No sudo fragments - No udev rules - Some tests under openid/test/ - No cron jobs - No security relevant warnings: dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-python3-openid-dummy dpkg-source: warning: extracting unsigned source package (python3-openid_3.1.0-1.dsc) warning: no files found matching 'NOTICE' warning: no files found matching 'CHANGELOG' warning: no files found matching 'README.md' under directory 'examples' warning: no files found matching '*.css' under directory 'doc' warning: no files found matching '*.html' under directory 'doc' dpkg-scanpackages: warning: Packages in archive but missing from override file: dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-lintian-dummy sbuild-build-depends-python3-openid-dummy - Subprocess spawned in contrib/openid-parse, it spawns "xsel -o -b" - File IO - a few file operations, look safe - Logging - logging in case of error or warning - uses logging module for logging errors and warning module for warnings - look safe - No environment variables (only in examples) - No privileged operations - Networking - SQLite3 connection - MySQL connection - PostgreSQL connection - fetches http request with pycurl - parses html - Encryption - makes use of pycurl for fetching http requests - No WebKit - No PolicyKit - No shell scripts - Coverity analysis: 1. False positive python3-openid-3.1.0/openid/fetchers.py:360 Checker: REVERSE_INULL python3-openid-3.1.0/openid/fetchers.py:356: deref: Accessing a property of "headers". python3-openid-3.1.0/openid/fetchers.py:360: check_after_deref: Null-checking "headers" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 2. Test code, so considering it low python3-openid-3.1.0/openid/test/__init__.py:170 Checker: UNREACHABLE python3-openid-3.1.0/openid/test/__init__.py:170: unreachable: This code cannot be reached: "return django.test.simple.r...". python3-openid-3.1.0/openid/test/test_association_response.py:331 Checker: FORWARD_NULL 3. Test code, so considering it low python3-openid-3.1.0/openid/test/test_association_response.py:330: 1. path: Condition "ret === None", taking true branch. python3-openid-3.1.0/openid/test/test_association_response.py:330: 2. null_check: Comparing "ret" to a null-like value implies that "ret" might be null-like. python3-openid-3.1.0/openid/test/test_association_response.py:331: 3. property_access: Accessing a property of null-like value "ret". 4. Test code, so considering it low python3-openid-3.1.0/openid/test/trustroot.py:42 Checker: FORWARD_NULL python3-openid-3.1.0/openid/test/trustroot.py:40: 1. path: Condition "tr === None", taking true branch. python3-openid-3.1.0/openid/test/trustroot.py:40: 2. null_check: Comparing "tr" to a null-like value implies that "tr" might be null-like. python3-openid-3.1.0/openid/test/trustroot.py:42: 3. property_access: Accessing a property of null-like value "tr". To sum up: 1. It would be nice if someone could verify the python issue. 2. Will we want to support a project that might have halted development or be abandoned? So before the ACK or NACK we would appreciate if someone could answer those questions. Thanks ** Bug watch added: github.com/necaris/python3-openid/issues #39 https://github.com/necaris/python3-openid/issues/39 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820211 Title: [MIR] python3-openid as dependency of mailman3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3-openid/+bug/1820211/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
