I reviewed python-rtslib-fb 2.1.71-0ubuntu1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability.
python-rtslib-fb is a programmatic interface to the Linux kernel's LIO target. Working with Python objects causes writes to the kernel's /sys/kernel/config/target interface. It also provides an executable to save the live config to a file on service shutdown, and load the config into the running kernel on service start. - No CVEs in our database; when I reported a low severity problem, a fix was committed 13 hours later. - Build-Depends? - debhelper-compat (= 9),, dh-python, openstack-pkg-tools (>= 99~), python3-all, python3-setuptools, python3-six - pre/post inst/rm scripts? - postrm script improperly removes the alternatives entry against policy -- it should be called from prerm instead: https://lintian.debian.org/tags/maintainer-script-should-not-use-update-alternatives-remove.html - py3compile command isn't guarded with || true; -- is this correct? - init scripts? - initscript has multiple shellcheck warnings - race condition combined with busy-wait "sleep" - systemd units? - Creates directory with ExecStart=mkdir -p rather than ConfigurationDirectory= directive - No dbus config - No setuid executables - new binary targetctl in PATH - No sudo fragments - No polkit rules - No udev rules - Very small number of tests -- as doctests -- and I can't tell if they run during the build or not - No cron jobs - Lintian warnings and errors reported - Spawns a subprocess to perform module loading -- the subprocess itself looks fine, but the module loading feels out of place. There is probably a better way to do this. - File IO is used extensively; some small helper functions are written to make it look easy. The tool works extensively in a virtual filesystem meant to configure things. - Very little logging - No environment variable use - While this performs privileged operations, it mostly does so via read and write -- and the "modprobe" Popen. - No cryptography - No temp files - No networking - No webkit - No policykit While reading the code I found a low-severity issue and reported it: https://github.com/open-iscsi/rtslib-fb/issues/161 Upstream checked in a fix in 13 hours. The systemd unit file uses an explicit mkdir call rather than using a declarative setting. The postrm/prerm scripts needs work. Security team ACK for promoting python-rtslib-fb to main. I'd like the security fix and the packaging issues fixed before this package is promoted. Thanks ** Bug watch added: github.com/open-iscsi/rtslib-fb/issues #161 https://github.com/open-iscsi/rtslib-fb/issues/161 ** Changed in: python-rtslib-fb (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs