Ubuntu
kazoo package

MIR: python-kazoo; new taskflow version needs python-kazoo from universe

Bug #1296607 reported by Martin Pitt
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kazoo (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Thew new 0.1.3 release of taskflow is stuck in -proposed as the autopkgtest now fails (https://jenkins.qa.ubuntu.com/job/trusty-adt-python-taskflow/?):

======================================================================
FAIL: unittest.loader.ModuleImportFailure.taskflow.tests.unit.persistence.test_zk_persistence
tags: worker-0
----------------------------------------------------------------------
Traceback (most recent call last):
ImportError: Failed to import test module: taskflow.tests.unit.persistence.test_zk_persistence
Traceback (most recent call last):
  File "/usr/lib/python2.7/unittest/loader.py", line 254, in _find_tests
    module = self._get_module_from_name(name)
  File "/usr/lib/python2.7/unittest/loader.py", line 232, in _get_module_from_name
    __import__(name)
  File "/tmp/adt-run.lSDNnp/dsc0-build/python-taskflow-0.1.3/taskflow/tests/unit/persistence/test_zk_persistence.py", line 24, in <module>
    from taskflow.persistence.backends import impl_zookeeper
  File "/tmp/adt-run.lSDNnp/dsc0-build/python-taskflow-0.1.3/taskflow/persistence/backends/impl_zookeeper.py", line 22, in <module>
    from kazoo import exceptions as k_exc
ImportError: No module named kazoo

(and some more similar failures)

Indeed the package now imports "kazoo" in several places, but that's an undeclared new dependency. This needs MIR first, and then get added to the binary package's Depends: (and probably also build depends if the upstream tests need it).

Martin Pitt (pitti)
Changed in python-taskflow (Ubuntu):
assignee: nobody → Chuck Short (zulcss)
summary: - New version needs python-kazoo from universe
+ MIR: python-kazoo; new taskflow version needs python-kazoo from universe
Revision history for this message
Michael Terry (mterry) wrote :

python-repoze.sphinx.autointerface looks great, but needs a team bug subscriber.

Changed in python-repoze.sphinx.autointerface (Ubuntu):
status: New → Incomplete
Revision history for this message
Michael Terry (mterry) wrote :

Sorry, and it needs to be ported to dh_python2 instead of python-support

Revision history for this message
Michael Terry (mterry) wrote :

Kazoo looks like it has tests that aren't being run. Can that be fixed? (either as dep8 or during build)

Changed in kazoo (Ubuntu):
status: New → Incomplete
Revision history for this message
Chuck Short (zulcss) wrote :

kazoo has a dep8 test dependency now.

Michael Terry (mterry)
no longer affects: python-taskflow (Ubuntu)
no longer affects: python-repoze.sphinx.autointerface (Ubuntu)
Revision history for this message
Michael Terry (mterry) wrote :

Kazoo looks good from a packaging standpoint (thanks for dropping the other deps and adding dep8 tests!).

But since it involves a full implementation of a wire protocol, I'm going to assign to ubuntu-security so they can determine if this needs an actual looksee from them.

Changed in kazoo (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: Incomplete → New
Revision history for this message
Michael Terry (mterry) wrote :

Also, kazoo needs a team bug subscriber.

Revision history for this message
James Page (james-page) wrote :

ubuntu-server added as team bug subscriber.

Jamie Strandboge (jdstrand)
Changed in kazoo (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Seth Arnold (seth-arnold)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed kazoo version 1.3.1-1ubuntu1 as checked into utopic. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- Kazoo provides python bindings for zookeeper
- Build-Depends: debhelper dh-python python-all python-setuptools
  python3-all python3-setuptools python-sphinx python3-sphinx
  python-gevent
- Only cryptography is hashing
- Python-provided networking
- Does not itself daemonize
- Does not itself listen on network
- No pre/post inst/rm
- No initscripts
- No dbus
- No setuid
- No binaries
- No sudo fragments
- No udev rules
- There are tests but they aren't run during the build
- No cronjobs
- Clean build logs

- No subprocesses spawned
- No memory management
- No files opened
- Logging looks sane
- No environment variables
- No privileges operations
- No encryption, only weak password hashing
- Extensive networking, looked sane
- No temporary files
- No WebKit
- No JavaScript
- No PolicyKit

Here are some notes I collected while reviewing Kazoo in the hope they are
useful to someone:

- Connections to server are unencrypted and unauthenticated, passwords
  given in the clear
- Connection logging includes passwords
- ACL credentials are weakly salted (username only) uniterated SHA1; these
  should be considered as roughly equivalent to plaintext.

Kazoo (and likely Zookeeper) should not be used over the public Internet.
Private data should probably not be stored in Zookeeper in the first
place. All protocols and configurations were designed for use in trusted
datacenters -- think of it like telnet.

I suspect everyone using Zookeeper already knows that it has no privacy or
authenticity controls and is using it in trusted data centers, private
cloud environments, or with VPN solutions that can provide privacy and
authentication.

I skipped reading sw/virtualenv.py, it had a lot of crazy things, but it
is probably not unique to this package.

Security team ACK for promoting Kazoo to main.

Thanks

Changed in kazoo (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Michael Terry (mterry)
Changed in kazoo (Ubuntu):
status: New → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
kazoo 1.3.1-1ubuntu1 in utopic: universe/misc -> main
python-kazoo 1.3.1-1ubuntu1 in utopic amd64: universe/python/optional/100% -> main
python-kazoo 1.3.1-1ubuntu1 in utopic arm64: universe/python/optional/100% -> main
python-kazoo 1.3.1-1ubuntu1 in utopic armhf: universe/python/optional/100% -> main
python-kazoo 1.3.1-1ubuntu1 in utopic i386: universe/python/optional/100% -> main
python-kazoo 1.3.1-1ubuntu1 in utopic powerpc: universe/python/optional/100% -> main
python-kazoo 1.3.1-1ubuntu1 in utopic ppc64el: universe/python/optional/100% -> main
python-kazoo-doc 1.3.1-1ubuntu1 in utopic amd64: universe/doc/optional/100% -> main
python-kazoo-doc 1.3.1-1ubuntu1 in utopic arm64: universe/doc/optional/100% -> main
python-kazoo-doc 1.3.1-1ubuntu1 in utopic armhf: universe/doc/optional/100% -> main
python-kazoo-doc 1.3.1-1ubuntu1 in utopic i386: universe/doc/optional/100% -> main
python-kazoo-doc 1.3.1-1ubuntu1 in utopic powerpc: universe/doc/optional/100% -> main
python-kazoo-doc 1.3.1-1ubuntu1 in utopic ppc64el: universe/doc/optional/100% -> main
python3-kazoo 1.3.1-1ubuntu1 in utopic amd64: universe/python/optional/100% -> main
python3-kazoo 1.3.1-1ubuntu1 in utopic arm64: universe/python/optional/100% -> main
python3-kazoo 1.3.1-1ubuntu1 in utopic armhf: universe/python/optional/100% -> main
python3-kazoo 1.3.1-1ubuntu1 in utopic i386: universe/python/optional/100% -> main
python3-kazoo 1.3.1-1ubuntu1 in utopic powerpc: universe/python/optional/100% -> main
python3-kazoo 1.3.1-1ubuntu1 in utopic ppc64el: universe/python/optional/100% -> main
19 publications overridden.

Changed in kazoo (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.