[Summary] python-octavia-lib provides a python library for developers of Octavia provider drivers, allowing alternative LB solutions to be integrated into Octavia.
https://docs.openstack.org/octavia/latest/contributor/guides/providers.html This does need a security review, so assigning to ubuntu-security. MIR team ack for main inclusion (pending security team review). [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking TODO: Problems: [Security] OK: - history of CVEs does not look concerning No security history https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=octavia-lib - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats JSON is used as the on-the-wire format for communication between drivers and Octavia (using oslo_serialization which is already in main). - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (e.g. pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest No - but covered by autopkgtests in octavia - The package has a team bug subscriber ubuntu-openstack - no translation present, but none needed for this case - no new python2 dependency - Python package that is using dh_python [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control OpenStack ahead of Debian in terms of versions - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good but diverged - the current release is packaged - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Changed in: python-octavia-lib (Ubuntu) Assignee: James Page (james-page) => Ubuntu Security Team (ubuntu-security) ** Changed in: python-octavia-lib (Ubuntu) Milestone: later => ubuntu-20.10 ** Changed in: ovn-octavia-provider (Ubuntu) Milestone: later => ubuntu-20.10 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1864666 Title: [MIR] python-octavia-lib, ovn-octavia-provider To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn-octavia-provider/+bug/1864666/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
