I reviewed jeepney 0.4.3-1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
jeepney is a pure Python D-Bus interface. D-Bus is an inter-process
communication system.
In its README file, jeepney maintainer mentions:
"This project is experimental, and there are a
number of more mature Python DBus bindings."
The mature options that the maintainer mention don't seem to be as
maintained as jeepney.
- No CVE History
- Build-Depends:
- python3-all
- python3-pytest
- python3-sphinx
- python3-sphinx-rtd-theme
- python3-testpath
- prerm and postinst scripts automatically created
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- the source code comes with some tests that can be run with pytest.
- autopkgtests are also available for this package
- No cron jobs
- Build logs:
- No relevant errors or warnings
- Processes spawned
- Only in test code
- No memory management
- File IO
- Open and write a .py output file when using bindgen to auto-generate
DBus bindings. The path argument to bindgen is actually a DBus path and
not a filesystem path.
- There's not much handling on the output file, you can specify a path.
- Bindgen is a tool and not used anywhere else in the code.
- No logging
- No environment variable usage
- No use of privileged functions
- No use of cryptography / random number sources
- Use of temp files only in test code
- Use of networking
- Use sockets to connect to DBus when using tornado, asyncio or blocking I/O.
- Looks safe
- No use of WebKit
- No use of PolicyKit
- Coverity only found issues in javascript code from the generated documentation
- Bandit found the following issues:
- B405: import_xml_etree - LOW
- B314: xml.etree.ElementTree.fromstring - MEDIUM
- B101: assert_used - LOW
- B105: hardcoded_password_string - LOW -> false positive
- There are plenty of other LOW issues on test code that we are not analysing
- Those issues are low enough to allow this MIR to continue
Although the maintainer still consider it as experimental, it is a good test
to have it on a non-LTS Ubuntu as dbus-python is obsolete.
Keep in mind that jeepney has some limitations:
https://jeepney.readthedocs.io/en/latest/limitations.html
Security team ACK for promoting jeepney to main.
** Tags added: security-review-done
** Changed in: jeepney (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861268
Title:
[MIR] jeepney
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jeepney/+bug/1861268/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
