[Mir] python-libnacl

Marked incomplete as I submitted inconsistent data on this bug.

This is only needed for Xenial/Trusty as python-libnacl was the backend of pymacaroons there and changing that would be too much regression risk. Therefore the timeline of this support is clearly defined with the EOL of Tusty/Xenial.

It is a duplication in functionality, but never both are in main.
python-libnacl - requested to be in Trusty/Xenial here
python-nacl - is in main >=Bionic

I added T/X tasks therefore and marked the forward looking main bug "invalid".
I'll start on a MIR eval on this later today, so I assign myself.

[Duplication]
This is no duplication case, but it is special and worth to mention:
- https://github.com/saltstack/libnacl
- https://github.com/pyca/pynacl

In latter releases the stack depends on the latter and that is fully in main already.
In older releases it was using the former.
I appreciate not trying to SRU a change of the bindings to the other package as that would IMHO not be SRUable.

Eventually for any given release there will only be one nacl python binding in main which is ok.
Also this only changes the past and future versions will not need libnacl.

[Embedded sources and static linking]
- no embedded other sources
- no static linking
- no golang

[Security]
- no known CVEs
- no daemon
- no root usage (it is only a lib/binding after all)
- does not deal with pam/authentication
although:
- it will (through libsodium) parse data formats
- it is used to access crypto functions and therefore is sensitive

[Common blockers]
- builds fine last time in Xenial
- Testsuite is running and blocking build on Xenial as well as on newer versions
- the maas team is already subscribed to the package
- no user visible output that needs translation
- only python3 dependencies are used (but then for Xenial/Trusty this wouldn't even be important)
- dh_python is in use

[Packaging red flags]
- Ubuntu delta is only the backport (LP: #1586770)?
- no symbols
- debian/watch present
- updates happened rarely but since we only go for Xenial/Trusty that isn't too important anyway
- no massive Lintian warnings (things out of date, but that is ok as it is ~3 years old now)
- very clean d/rules (almost only dh @)

[Upstream red flags]
- no build errors on the Xenial version that will be added to main
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no longstanding bugs
- no dependency on webkit, qtwebkit, seed or libgoa-*

[Summary]
This seems reasonably supportable in X/T unless the security team spots something from their scope of expertise.
I'll ack this from the MIR teams POV, but it needs security review as outlined above.
Assigning to security.

Notes/TODOs:
@Chad - since this wasn't built a long time in Xenial and never before in Trusty. Could you please provide a PPA that builds the set of three packages in both Releases?
@Security - just like back with [1] there should be a security review as it deals with crypto. But given it is mostly a binding/wrapper to libsodium it should not have too much logic to make this complex.

[1]: https://bugs.launchpad.net/ubuntu/+source/python-nacl/+bug/1747460/comments/10

I proved the (re)build quality for Xenial (to be sure) and since it will be new for Trusty as well.

Xenial: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3667
Trusty: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3668

Both releases build logs seem sane, no FTBFS and no deviation from what was checked (Xenial LP builds) in the MIR review.

That said I think we can start prepping that for the Trusty new queue as SRU already.

The package is now in trusty-proposed (universe) and ready for promotion once the ubuntu-advantage-tools upload pulling it in appears in -proposed.

Updating the state of the bug per https://wiki.ubuntu.com/MIRTeam#Process_states

Actually in this case of three packages only bug 1746772 is complete already, this one here waits for the Security Team ack before being fully complete - but all other blockers are passed.
But the Security Team is already aware, so no need to change anything yet.

@Security Team - once review is (hopefully) good feel free to set to "in progress" per
https://wiki.ubuntu.com/MIRTeam#Process_states

python-libnacl is a thin python wrapper over the libsodium C library,
using ctypes to interact with libsodium. I reviewed python-libnacl
1.4.5-0ubuntu1 from xenial. This shouldn't be considered a full security
audit but rather a quick check of maintainability. Furthermore this is
not an audit of the fitness for purpose of the cryptography in
libsodium.

- No CVE history in our database
- Depends:
  - debhelper, dh-python, libsodium-dev, pkg-config, python, python-all,
    python-nose, python-setuptools, python3, python3-all, python3-nose,
    python3-setuptools
  - Nothing out of the ordinary for a python package, in particular uses
    libsodium for all the heavy lifting
- Does not itself do networking
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid files
- No binaries in the PATH
- No sudo fragments
- No udev rules
- A test suite is run during the build
- No cron jobs
- Clean build logs

- No subprocesses spawned
- Uses file IO for storing keys, umask is appropriately set to ensure
  0400 permissions on resulting files
 - Files are parsed as either json or msgpack (no dependency on
   python-msgpack so could this be abused at runtime to crash
   python-libnacl by trying to get it to use a msgpack file where it
   will fail on import msgpack?)
- No logging
- No environment variable use
- No privileged functions
- No networking
- No privileged portions of code
- No temp files
- No WebKit
- No PolKit

Only outstanding issue issue is whether this is missing a depend on
python-msgpack. Once this is resolved or rationalized, Security team ACK
for promoting python-libnacl in Xenial (and Trusty for the same version)
to main.

Override component to main
python-libnacl 1.4.5-0ubuntu1 in xenial: universe/python -> main
1 publication overridden.
Override component to main
python3-libnacl 1.4.5-0ubuntu1 in xenial amd64: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1 in xenial arm64: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1 in xenial armhf: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1 in xenial i386: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1 in xenial powerpc: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1 in xenial ppc64el: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1 in xenial s390x: universe/python/optional/100% -> main
7 publications overridden.

Override component to main
python-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty: universe/python -> main
1 publication overridden.
Override component to main
python3-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty amd64: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty arm64: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty armhf: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty i386: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty powerpc: universe/python/optional/100% -> main
python3-libnacl 1.4.5-0ubuntu1~ubuntu14.04.1 in trusty ppc64el: universe/python/optional/100% -> main
6 publications overridden.