I reviewed coreapi 2.3.3-2 from eoan. This isn't a full security audit,
but rather a quick gauge of maintainability.
- coreapi is a small python library that allows interacting with any API
that exposes a supported schema or hypermedia format
- There is no CVE history for coreapi.
- Relevant Build-Depends: python-setuptools, python-coreschema,
python-itypes, python-requests, python-uritemplate, python3-all,
python3-setuptools, python3-coreschema, python3-itypes,
python3-requests, python3-uritemplate,
- Relevant Depends: python3-coreschema, python3-itypes, python3-requests,
python3-uritemplate
- Dependencies not in main:
- coreschema (bug 1820180)
- itypes (bug 1820197)
- python-uritemplate (bug 1820223)
- Upstream repo got a few commits in 2018, no substantial development, but
likely because small library works as intended
- All code is written in Python
- Lintian reports no errors for this package
- No daemons
- Nothing relevant in maintainer scripts
- There does not appear to be a test suite
- There are no cron jobs
- There is a use of os.system in the codebase, but it is in the setup
script only, no security relevance
- No C code, so no C code warnings
- Output filenames are based on headers and urls, but are stripped
- No privileged operations
- Temp files use a secure API
- Packaging is trivial and easy to maintain
Security team ACK for promoting coreapi to main, once its dependencies have
been approved.
** Changed in: coreapi (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820179
Title:
[MIR] coreapi as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/coreapi/+bug/1820179/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
