[MIR] python-pyelftools
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-pyelftools (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
[MIR]
Listing MIR requirements that are fulfilled IMHO:
0. First of all - this is for the Z* release, no rush into Yakkety,
but starting to do it right for Z* now instead of late in the next
cycle.
1. Availability: Is already in Ubuntu universe and builds for the
architectures it is designed to work on.
2. Rationale: having this python extension available would allow us to
ship a dpdk helper tool that can help debugging it in case uncommon
network cards are used. DPDK is in main, so this would be a runtime
dependency.
3. Security: There were no open CVEs reported against it in the past.
No Binaries, services or anything like it - just py files to include
and a readme.
4. Quality assurance: Being a python extension there is no config needed
that would make usability complex.
The code is well myintained upstream. Currently there is no Ubuntu
Delta to Debian and so far there are zero bugs against the package at
https:/
Neither are there in Debian:
https:/
It has a set of integrated tests ran on build in override_
5. UI Standards: No UI
6. Dependencies:
Runtime dependencies are on python2/3 only which already is in main.
Build dependencies are on python, dh-python and debhelper. Again a
small list and all already in main.
7. Standards compliance: Packaging is small and easy to understand as it
is almost "just" calling dh with pybuild. It has a watch file and also
FHS/Debian compliance is given. Lintian reports no open issues.
8. Maintenance: As said so far no open bugs and no delta. Since it doesn't
expose anything to the network the risk of security issues is medium.
It is medium and not low as it is used to process elf data on e.g.
shared libraries - that means reading arbitrary data. Since it is in
python a lot of the protection e.g. for buffer overflows comes from the
runtime environment. There is no owning Team yet as it falls in the MIR
prerequisites quote of "Simple packages (e.g. language bindings, simple
Perl modules, small command-line programs, etc.) might not need very
much maintenance effort, and if they are maintained well in Debian we
can just keep them synced"
----
The latest upload of dpdk introduces a dependency on python-pyelftools. MIR, or dropping of the dependency, needed.
Changed in python-pyelftools (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (der-schoenne) |
Changed in python-pyelftools (Ubuntu): | |
status: | New → Incomplete |
Changed in python-pyelftools (Ubuntu): | |
assignee: | Christian Ehrhardt (der-schoenne) → ChristianEhrhardt (paelzer) |
Changed in python-pyelftools (Ubuntu): | |
assignee: | ChristianEhrhardt (paelzer) → Ubuntu Security Team (ubuntu-security) |
no longer affects: | dpdk (Ubuntu) |
Hi Steve, you were 6 hours earlier than me since we had public holiday yesterday.
So far the tool is optional and we are too late IMHO to MIR that in.
I'll prep an upload that drops this particular tool for Yakkety and revisit that later on.
Dup'ing my report now.