I reviewed pemmican 1.0.3-0ubuntu1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
pemmican is a small utility which warns users of power supply issues on the
Raspberry Pi 5 platform.
- CVE History
- No CVEs. This project is a month old though.
- Build-Depends
- Apart from the typical Python package dependencies:
- python3-gi
- python3-pyudev
- python3-dbus
- For documentation:
- python3-sphinx
- python3-sphinx-rtd-theme
- pre/post inst/rm scripts
- There are automatically added scripts from dh_python3 and
dh_installsystemduser.
- Init scripts compile the python scripts with py3compile and enable the
systemd services.
- Rm scripts for cleanup and removal of the systemd services.
- systemd units
- /usr/lib/systemd/user/pemmican-monitor.service -> simple systemd unit that
runs as the user.
- /usr/lib/systemd/user/pemmican-reset.service -> one-shot systemd unit that
runs as the user.
- dbus services
- It dispatches freedesktop DBus notifications.
- setuid binaries
- None
- binaries in PATH
- /usr/bin/pemmican-mon -> python script to be run by the systemd unit. It
runs MonitorApplication from gui.py
- /usr/bin/pemmican-reset -> python script to be run by the systemd unit. It
runs ResetApplication from gui.py
- /usr/bin/pemmican-cli -> python script to add a MOTD message. It runs cli.py
- sudo fragments
- None
- polkit files
- None
- udev rules
- It monitors power supply-related events on usb/hwmon
- unit tests / autopkgtests
- The source code includes unit tests. They are run when building the deb
package.
- Autopkgtests are also the tests.
- cron jobs
- None
- Build logs
- Deprecation warning from setuptools because of trying to use 'setup.py
install'.
- Lintian clean.
- Processes spawned
- None
- Memory management
- Nothing out of normal, Python application.
- File IO
- None
- Logging
- None
- Environment variable usage
- It searchs for XDG_CONFIG_HOME, XDG_CONFIG_DIRS and (WAYLAND_)DISPLAY.
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- None
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- None
The code is widely documented and properly formatted. It contains error and
exception handling.
Upstream runs the testing suite with GitHub Actions on every commit. Since it's
a month old
project, we cannot speak about maintainability but the owner is a Canonical
engineer.
The complete codebase is made by 6 Python files:
* power.py -> Opens hardcoded '/proc/device-tree/chosen/power' and reads values.
* notify.py -> DBus freedesktop notification handler class, with hardcoded
paths and values.
* lang.py -> Minimal locale and internationalization loading.
* gui.py -> Interaction with the freedesktop notification service to notify the
user.
* const.py -> Constant variables to be used, uses XDG_CONFIG_ environment
variables.
* cli.py -> CLI tool to run the same functionality as the systemd units but
getting the output as stdout.
Overall, the code looks well written and it does not present any
security issues.
Binaries generated:
* pemmican-desktop:
Systemd units run as the user, since it uses dh_installsystemduser. It
cannot be used to gain privileges. The reset unit queries /proc/device-
tree/chosen/power sending a freedesktop notification in case of
brownout/not enough current. The monitoring unit monitors udev changes,
sending a freedesktop notification in case of undervolt/overcurrent
detected.
* pemmican-server:
It works as a update-motd hook for running the CLI application. Same
as the desktop reset one, which queries the information but it adds the
message to MOTD in case something is detected. The messages and
invocation are hardcoded so no possibility to manipulate the output.
Security team ACK for promoting pemmican to main.
** Changed in: pemmican (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: pemmican (Ubuntu)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2055434
Title:
[MIR] pemmican
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pemmican/+bug/2055434/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
