Bug#1002645: RFS: pass-audit/1.1-1 [ITP] -- Pass extension for auditing your password repository (Python library)

To: Antoine Beaupré <anarcat@debian.org>, 1002645@bugs.debian.org
Subject: Bug#1002645: RFS: pass-audit/1.1-1 [ITP] -- Pass extension for auditing your password repository (Python library)
From: Thomas Perret <thomas.perret@phyx.fr>
Date: Thu, 27 Jan 2022 22:25:06 +0100
Message-id: <[🔎] a1cfdd23-413d-2ffd-cdac-29947a282a04@phyx.fr>
Reply-to: Thomas Perret <thomas.perret@phyx.fr>, 1002645@bugs.debian.org
In-reply-to: <[🔎] 87fsprlbgr.fsf@curie.anarc.at>
References: <f80df181-762b-8db4-4b81-4ef0591a5c7f@phyx.fr> <f80df181-762b-8db4-4b81-4ef0591a5c7f@phyx.fr> <[🔎] 87ilunlbwk.fsf@curie.anarc.at> <[🔎] 87fsprlbgr.fsf@curie.anarc.at> <f80df181-762b-8db4-4b81-4ef0591a5c7f@phyx.fr>

Hi Antoine,

First, thanks for reviewing this package. Second, thanks for the code audit,
I've clearly not enough security knowledge to be able to spot potential
security issues like this, so thanks for that.

(and btw the
[0] reference seems to be missing)


Hum, I forgot to put it and now to be honest, I don't remember what link
I wanted to put. You can check the packages I maintain in my QA page:
https://qa.debian.org/developer.php?email=thomas.perret@phyx.fr
These are mainly the paperwork[0] software and its dependencies with the
exception of gfsecret[1] a package that could take advantage of your
sharp eyes.


Le 13/01/2022 à 19:47, Antoine Beaupré a écrit :

On 2022-01-13 13:37:47, Antoine Beaupré wrote:

Any reason why you split the package in two binary packages? I don't see
why the python3-* package would really be useful outside of the
extension...


I wasn't sure about that, I can undo the split if you think it's unnecessary.
It was also because from what I understood from the section 5.3 of the
Debian Python Policy[2], it would become a private module and would require
to be installed in /usr/share/pass-audit. So out of laziness, I split
the package. But I'm not sure now, while I read the policy again, that I'm
understanding it the same.


Another thing is that I can't build the package here, it seems to fail
on some weird gnupg error in the test suite. Log attached.

other than that, things look somewhat sane. i'm a little worried about
the security of the code, details in private (and sent to upstream on
twitter).


Hum, yes indeed. I only tried to build it using pbuilder which built fine
but I can reproduce it locally with sbuild (and was present also on salsa[3]).
Though, I'm not sure where the problem comes from. I'll need to investigate.
I'm not able to spend as much time as I would like for Debian currently so
it will surely take me some time to fix that. But I guess, I should wait for
the next upstream release before uploading to Debian.

Thomas


[0]: https://openpaper.work
[1]: https://incenp.org/dvlpt/gfsecret.html
[2]: https://www.debian.org/doc/packaging-manuals/python-policy/index.html#programs-shipping-private-modules
[3]: https://salsa.debian.org/debian/pass-audit/-/jobs/2322260

Reply to:

References:
- Bug#1002645: RFS: pass-audit/1.1-1 [ITP] -- Pass extension for auditing your password repository (Python library)
  - From: Antoine Beaupré <anarcat@debian.org>
- Bug#1002645: RFS: pass-audit/1.1-1 [ITP] -- Pass extension for auditing your password repository (Python library)
  - From: Antoine Beaupré <anarcat@debian.org>

Prev by Date: Bug#1004345: RFS: ricochet-refresh/3.0.11-1
Next by Date: Bug#1004451: RFS: pinpoint/1:0.1.8-6 [ITA] -- hacker-friendly presentation program
Previous by thread: Bug#1002645: RFS: pass-audit/1.1-1 [ITP] -- Pass extension for auditing your password repository (Python library)
Next by thread: cmake: compat 11 vs 13 (-indep)
Index(es):
- Date
- Thread