Main Inclusion Report for python-boto

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/p/python-boto; available for all supported architectures or some subset ? All.

2. Rationale:

   • Why is this package needed? What feature(s) does it add? python-boto provides a library interface to amazon web services. It doesn't add anything specifically that couldn't be done otherwise, but provides a common library for multiple applications. Does upstream expect it? Upstream is unaware as far as I know. Plain text description of expected use: python-boto is used by both euca2ools and ec2-init to interface with amazon web services (ec2 api and query the ec2 metadata service).

   • This is a runtime dependency of both euca2ools and ec2-init

3. Security:

   • CVE entries: ...

   • Secunia history: ...

   • Any binaries running as root or suid/sgid ? No, only a python library. Any daemons ? No

   • Network activity: does it open any port ? Python-boto makes outgoing http connections to the ec2 metadata service, which runs on http://169.254.169.254. Does it handle incoming network data ? No

   • Does it directly (not through a library) process binary (video, audio, etc) or structured (PDF, etc) data ? No. It uses python libraries for xml parsing.

   • Any source code review performed ? I (Scott Moser) have quickly browsed through the source in looking for the cause of one bug. Other than that I am not aware of explicity code review. The library's fairly widespread attribute to its quality (or at very least to its usefulness).

4. Quality assurance:

   • In what situations does the package not work out of the box without configuration ? None that I am aware of.

   • Does the package ask any debconf questions higher than priority 'medium' ? No.

   • Debian bugs: None

   • Maintenance in Debian is frenetic/vigorous/calm/dead ? It is fairly active, 9 new uploads in 2009.

   • Upstream is frenetic/vigorous/calm/dead ? Upstream is active.

   • Upstream bug tracker: Nothing of significant interest to euca2ools or ec2-init. The most concerning is 266 - serious bug with XmlHandler

   • Hardware: Does this package deal with hardware and if so how exotic is it ?

   • Is there a test suite in the upstream source or packaging ? Yes. Is it enabled to run in the build ? No. The test suite is based upon being able to connect to AWS to demonstrate its function. This would not be suitable for the build system.

5. UI standards:

   • User-visible strings are internationalized using standard gettext system ? No.

   • Package with translatable strings builds a PO template during package build ? No.

   • End-user applications ship a desktop file ? Not applicable

6. Standards compliance:

   • FHS, Debian Policy compliance ?

   • Packaging system (debhelper/cdbs/dbs) ? debhelper. Patch system ? None. Any packaging oddities ? No.

7. Dependencies:

   • python
   • python-support

   • Are these all in main ? Yes

8. Maintenance:

   • How much maintenance is this package likely to need ? With fairly active debian maintenance, there shouldn't be too much need for ubuntu maintenance.

   • Who is responsible for monitoring the quality of this package and fixing its bugs ? Debian Maintainer, Scott Moser, Soren Hanson, ubuntu-on-ec2 team. Are they Ubuntu or Debian developers ?. Some Ubuntu developers.

   • Who is the package bug contact in Ubuntu? Scott Moser.

9. Background information:

   • The general purpose and context of the package should be clear from the package's debian/control file.

   • What do upstream call this software ? 'boto' Has it had different names in the past ? No. At least not in 2 years it has been packaged for debian.

10. Internationalization:

    • Are graphical applications translatable? Do they support gettext? Not Applicable

Reviewers

MIR bug: https://launchpad.net/bugs/434701

Author

• Scott Moser