I reviewed python-xmlschema 1.4.2-1 as checked into jammy. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.
python-xmlschema is a python package which provides XML schema support to
allow XML schemas to be parsed/loaded and queried etc. It also allow XML
documents to be validated against XML schema etc.
- No CVE History
- Interesting Build-Depends
- python3-lxml, python3-elementpath
- pre/post inst/rm scripts
- Standard auto-generated ones from dh_python3 to compile python code on
installation / delete compiled code on uninstall
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- 3 binaries in PATH
- utilities to translate to/from XML and to validate XML schemas
- -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-json2xml
- -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-validate
- -rwxr-xr-x root/root 986 2021-01-27 11:04 ./usr/bin/xmlschema-xml2json
- No sudo fragments
- No polkit files
- No udev rules
- unit tests / autopkgtests
- unit tests run during build via dh_auto_test
- unit tests also run as autopkgtests
- No cron jobs
- Build logs look clean
- No processes spawned
- Memory management is not relevant as this is python
- File IO
- As a library, will open files at paths specified by the caller of the
library
- Since documents can refer to remote resources, includes a sandbox mode
so that remote resources will not be fetched / validated for local
documents and vice-versa, but by default will fetch all resources
- Logging is careful from what I can see
- No apparent environment variable usage
- No apparent use of privileged functions
- No use of cryptography / random number sources etc
- No use of temp files (other than during tests)
- Use of networking to load remote resources via URIs
- No use of WebKit
- No use of PolicyKit
- No significant cppcheck results
- No significant Coverity results (a bunch of false positives)
- No significant shellcheck results
- No significant bandit results
The upstream project looks quite healthy - only 5 open github issues and
247 closed ones, and the oldest open issue is from 3rd February this year.
I do note that debian recently updated to 1.10.0 - should this be synced to
jammy first? Is there a reason why this hasn't come already via the usual
Debian sync process?
Security team ACK for promoting python-xmlschema to main.
** Changed in: python-xmlschema (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1953363
Title:
[MIR] python-xmlschema, elementpath, importlib-resources
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/elementpath/+bug/1953363/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
