Comment 49 for bug 1029549

I am almost done with my review, but won't finish until tomorrow. In the interest of time, I thought I would comment on what I have so far:
Security review:
 * No CVE history in unity-lens-photos (new) or the embedded oauth2 module. The upstream for python-oauth2 doesn't seem particularly active with no commits since December. That said, python-oauth2 has a comprehensive testsuite that was not embedded in the unity-lens-photos (though, it is not enabled in the build and there is a failing test)
 * no compiled code
 * embeds oauth2.py with looks like a python3 port of python-oauth2. I would much prefer python-oauth2 be updated and promoted so that other projects could utilize this.
 * no privileged commands (sudo/su/pkexec), no /tmp files, no initscripts/upstart jobs, no dbus system services, no setuid, fscaps or use of sudo. no cron jobs
 * no build errors or warnings
 * facebook is using https (good)
 * flickr: should be adjusted to use the secure api like in bug #1037169 for account plugins.
 * these are using python3-httplib2 (good) which should be doing SSL verification by default (see bug #882027)

I can say that things look ok but that I have two conditions so far:
 * flickr is updated to use the secure api
 * use system python-oauth2 instead of embedding. python-oauth2 will need packaging updates for python3, but presumably there are going to be many lenses that build off of the online-accounts work and thus will use oauth2. Having one python library with a testsuite that all of them can use and that the security can support is the best solution.