[MIR] zope.component as dependency of mailman3

Bug #1820233 reported by Christian Ehrhardt 
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
zope.component (Ubuntu)
In Progress
Undecided
Unassigned

Bug Description

[Availability]
The package is already universe for quite a while and build/works fine so far.
It is for example already used for https://lists.canonical.com/mailman3/postorius/lists/
OTOH it is a utility that can/could be used for much more than just the mailman3 stack.

This source builds python2 and python3 binaries (being compatible) but we will only pull in the python3 package as part of the switch to mailman3.

[Rationale]
This is part of the MIR activity for all dependencies of mailman3
The "main" MIR of it is at bug 1775427:

Mailman (2) has only python2 support, but we strive for python3,
therefore Mailman3 which has python3 support should be promoted to main.

Old mailman2 had no zope, no code in this package seems to be ported from mailman2 (which would ease review).

[Security]

No known CVEs found.
Zope in general has quite some hits, but this component seems not to be part of it.
=> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zope

[Quality assurance]

As part of the mailman3 stacks as of now (Disco) this installs fine and works fine.
On itself it is useful to (many) other dependencies and does not need a post install configuration on its own.

The package does not ask debconf questions.

Zero known bugs in Ubuntu and Debian only has a request for an MIA uploader (but not the last one) for this component.

The package seems ok, but wasn't touched since the initial furry in late 2015/2016.
There are newer (minor) versions in pypi so we might want to bump them somewhen before 20.04 at least.
IMHO we are not in a hurry with this as long as it works fine.

No exotic HW involved.

The package utilizes build time self tests as well as some (rather trivial) smoke test as autopkgtest.

Lintian only reports very minor issues, mostly by being older (compat 9, no gpg check on watch, no https usage, ...)

The package does not rely on demoted or obsolete packages.

[UI standards]

This is a low level library without (a lot) of user visible strings - no translations (needed).
No End-user applications that needs a standard conformant desktop file.

[Dependencies]

Some dependencies are not in main, but we drive MIR for all related packages
that are not in main at the same time.
Please check the list of bugs from the main Mailman3 MIR in bug 1775427 in bug 1775427 to get an overview.

[Standards compliance]
The package meets the FHS and Debian Policy standards.
The packaging itself is very straight forward and uses dh_* as much as possible - the d/rules fits on one screen.

[Maintenance]

The Server team will subscribe for the package for maintenance, but in
general it seems low on updates and currently is a sync from Debian.

[Background]
The package description explains the general purpose and context of the package well.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

[Duplication]
No duplication for this functionality in main at the moment.

[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package

[Security]
I can confirm that there seems to be no CVE history for this zope component.
But there is CVE for zope in general, so maybe that package was just never reviewed by anyone.

It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication

It does due to its integration into zope to some extend it indirectly:
- processes arbitrary web content
- parse data formats

Therefore to err on the side of caution I mark it for security review.

[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilized (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3

[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
- I was concerned if the ZPL license would be ok (as I haven't touched it ever),
  but zope.interface already is in main with the same license so that must be ok.

Not perfect but ok:
- past updates to the package were sporadic (mostly as-is since intial packaging
- due to that the most current release is not packaged (only a minor upgrade)
- The server team already took a task to check viability to update to the newest version on pypi

[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either

[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above due to its integration into the zope web stack
I'll assign to security for review.

Changed in zope.component (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Eduardo Barretto (ebarretto) wrote :
Download full text (4.7 KiB)

I reviewed zope.component 4.3.0-1 as checked into eoan. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

Zope is a free and open source web application server written in the
object-oriented programming language “Python”.
zope.component is a framework that provides facilities for defining,
registering and looking up components.

The project didn't receive a commit for the past 8 months but it is still
maintained and the code is mature.

- No CVE History:
- Build-Depends
  - dh-python
  - python-all
  - python-persistent
  - python-setuptools
  - python-zope.configuration
  - python-zope.event
  - python-zope.interface
  - python-zope.proxy
  - python-zope.security
  - python3-all
  - python3-persistent
  - python3-setuptools
  - python3-zope.configuration
  - python3-zope.event
  - python3-zope.interface
  - python3-zope.proxy
  - python3-zope.security
- prerm and postinst added automatically
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No udev rules
- unit tests on src/zope/component/tests/
  - There are lots of tests, some of them also check coverage.
- No cron jobs
- Build logs:
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy sbuild-build-depends-zope.component-dummy
dpkg-source: warning: extracting unsigned source package (zope.component_4.3.0-1.dsc)
warning: no previously-included files matching '*.dll' found anywhere in distribution
warning: no previously-included files matching '*.pyc' found anywhere in distribution
warning: no previously-included files matching '*.pyo' found anywhere in distribution
warning: no previously-included files matching '*.so' found anywhere in distribution
warning: no previously-included files matching 'coverage.xml' found anywhere in distribution
warning: no previously-included files matching '*.dll' found anywhere in distribution
warning: no previously-included files matching '*.pyc' found anywhere in distribution
warning: no previously-included files matching '*.pyo' found anywhere in distribution
warning: no previously-included files matching '*.so' found anywhere in distribution
warning: no previously-included files matching 'coverage.xml' found anywhere in distribution
warning: no previously-included files matching '*.dll' found anywhere in distribution
warning: no previously-included files matching '*.pyc' found anywhere in distribution
warning: no previously-included files matching '*.pyo' found anywhere in distribution
warning: no previously-included files matching '*.so' found anywhere in distribution
warning: no previously-included files matching 'coverage.xml' found anywhere in distribution
warning: no previously-included files matching '*.dll' found anywhere in distribution
warning: no previously-included files matching '*.pyo' found anywhere in distribution
warning: no previously-included files matching '*.so' found anywhere in distribution
warning: ...

Read more...

Changed in zope.component (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

The right state for ack is "in progress" per [1], setting that.

[1]: https://wiki.ubuntu.com/MIRTeam#Process_states

Changed in zope.component (Ubuntu):
status: New → In Progress
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

After evaluating dependencies, required further changes and mostly maintainability for security and packaging it was decided there are too many concerns - not about any single package in particular, but the overall Mailman3 stack - about the ability to maintain and monitor it as well as we need it for support in main.

We have closed the primary LP bug already, the MIRs that are already approved - like this one - will stay that way, but we will make no seed change to pull things in for now. Yet if other needs come up for those they have a prepared MIR already.
Other bugs which are not yet completed in terms of review will be closed as Won't Fix.

Even thou it ended being aborted, I think that is a valid outcome of the MIR evaluations. Never the less I want to thank everybody involved for all the work spent in what was nearly a year working through these MIRs.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.