[Summary] MIR team ACK This does need a security review, so I'll assign ubuntu-security List of specific binary packages to be promoted to main: - python3-prometheus-client
Required TODOs: - none Recommended TODOs: - Strongly recommended to update to v0.11.0 before promotion - Better Subscribe early to the package than forgetting it later [Duplication] python3-django-prometheus is related but would use python-prometheus-client to do the real work. There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this (python3-decorator is in main) - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does parse data formats - it also has a network component through python-twisted => That is worth a security review. [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - The package has a team bug subscriber - no translation present, but none needed for this case (user visible)? - no new python2 dependency - Python package that is using dh_python Problems: - does not have a non-trivial test suite that runs as autopkgtest - remember to subscribe to the package, could not find it for openstack-ubuntu-packagers or openstack-packagers [Packaging red flags] OK: - Ubuntu does not carry a delta - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - Does not have Built-Using - is not on the lto-disabled list Problems: - Debian/Ubuntu update history is not perfect, no update for a year - the current release is not packaged (0.9 is of Nov 2020, 0.11 is current) [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (python) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu or Upstream - no dependency on webkit, qtwebkit, seed or libgoa-* - not part of the UI for extra checks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943143 Title: [MIR] python-oslo.metrics, python-prometheus-client To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-oslo.metrics/+bug/1943143/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
