MainInclusionM2crypto

Main Inclusion Report for m2crypto

Requirements

  1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/m/m2crypto; available for all supported architectures or some subset ? only currently built for amd64, i386.

  2. Rationale:

    • Why is this package needed? What feature(s) does it add? Per the projects homepage, "M2Crypto is the most complete Python wrapper for OpenSSL". Specifically, portions used by euca2ools include EVP, RSA, and X509. Does upstream expect it? Upstream has not been contacted. Plain text description of expected use: The primary motivation for this request is the use of the library by the euca2ools package.

    • This package is a runtime dependency of euca2ools
  3. Security:

    • CVE entries: Most are issues around not checking return values from openssl library calls.

    • Secunia history: None

    • Any binaries running as root or suid/sgid ? No. It is only a library. Any daemons ? No.

    • Network activity: does it open any port ? The library offers function for ssl network both incoming and outgoing, but requires an application to use them. Does it handle incoming network data ? No

    • Does it directly (not through a library) process binary (video, audio, etc) or structured (PDF, etc) data ? No

    • Any source code review performed ? No extensive review.

  4. Quality assurance:

    • In what situations does the package not work out of the box without configuration ? The library should generally work out of the box.

    • Does the package ask any debconf questions higher than priority 'medium' ? No

    • Debian bugs: 1 open bug 511515 is possibly relevant as apps might not be able to ascertain success of a few method calls.

    • Maintenance in Debian is vigorous (4 packages in 2009)

    • Upstream is active/calm (checkins

    • Upstream bug tracker: [[https://bugzilla.osafoundation.org/show_bug.cgi?id=8674|bug 8674: urllib.urlopen.readlines() of https:// URL causes max CPU" is at least a bit annoying.

    • Hardware: Does this package deal with hardware and if so how exotic is it ? No specific/direct hardware interaction.

    • Is there a test suite in the upstream source or packaging ? yes Is it enabled to run in the build ? No

  5. UI standards:

    • User-visible strings are internationalized using standard gettext system ? No internationalized strings are provided from the library itself.

    • Package with translatable strings builds a PO template during package build ? Not applicable.

    • End-user applications ship a desktop file ? Not applicable.

  6. Standards compliance:

    • FHS: Yes. Debian Policy compliance ?: Yes.

    • Packaging system (debhelper/cdbs/dbs) ? debhelper. Patch system ? None. Any packaging oddities ? No.

  7. Dependencies:

    • python
    • python-support
    • libc6
    • libssl
    • Are these all in main ? Yes

  8. Maintenance:

    • How much maintenance is this package likely to need ? The debian package is reasonably maintained. There have been ubuntu-authored changes have been for python version changes. The current upstream version (0.19) was also pulled into ubuntu before debian (but debian now has it).

    • Who is responsible for monitoring the quality of this package and fixing its bugs ? Upstream.

    • Who is the package bug contact in Ubuntu? Currently no teams or people subscribed to bugmail.

  9. Background information:

    • The general purpose and context of the package should be clear from the package's debian/control file.

    • What do upstream call this software ? M2Crypto. Has it had different names in the past ? Not Recently

  10. Internationalization:

    • Are graphical applications translatable? Do they support gettext? Not Applicable

Reviewers

MIR bug: https://launchpad.net/bugs/434723

Author

  • Scott Moser

MainInclusionM2crypto (last edited 2009-09-22 16:11:08 by smoser)