[MIR] promote python3-tornado as a pcs dependency

Review for Package: src:python-tornado

[Summary]
TornadoWeb is python web framework specializing on websocket communications.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security

List of specific binary packages to be promoted to main: python3-tornado, python3-tornado-doc
Specific binary packages built, but NOT to be promoted to main: <None>

Notes:
- This package is processing arbitrary web-content. Therefore, I'm requiring a
  security review.

Required TODOs:
#0 The package should get a team bug subscriber before being promoted (Server team?)

Recommended TODOs:
#1 lintian-overrides warnings, probably due to recent changes in lintian,
   please work with the Debian maintainers to get the overrides adopted
#2 warnings during the build (see below).
   - Please work with upstream to avoid using deprecated setup.py
   - Please work with Debian to avoid unused substitution variables in d/control

[Duplication]
TornadoWeb is basically yet another python web framework, like Django or Flask,
both of which are already in main. But Tornado is mostly addressing the
websockets niche and optimizing for that and seems to be better supported than
other alternatives (from universe, like python3-websockets, flask-socketio,
django-channels). Therefore, I think it's okay to add it as an additional python
web framework.

There is no other package in main providing the same (niche) functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - SRCPKG checked with `check-mir`
  - all dependencies can be found in `seeded-in-ubuntu` (already in main)
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (3 low/medium CVEs, handled upstream)
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

Problems:
- parses data formats (network packets/websocket) from an untrusted source.
- opens a port for web(-socket) communication
- processes arbitrary web content

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new...

Thanks for the review Lukas! The Server team will be subscribed to the team before its promotion.

I reviewed python-tornado 6.2.0-1 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

> Tornado is a Python web framework and asynchronous networking library

- CVE History:
  - CVE-2012-2374, CVE-2013-2099, and CVE-2014-9720
    - developers responded swiftly
  - CVE-2020-28476 was misassigned and revoked
  - silent vulnerability fixes https://github.com/tornadoweb/tornado/issues/799
    - https://github.com/tornadoweb/tornado/releases/tag/v6.2.0
    - downstream cannot apply security fixes that they do not know about!
  - release notes are only tracked by GitHub tags
    - previously kept on project's website
    - difficult to track history
- Build-Depends?
  - notably python3-pycurl and python3-twisted
  - optional python3-pycares not included in package
- pre/post inst/rm scripts?
  - yes
    - postinst compiles code
    - prerm cleans up compiled code
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - none
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - 1,167 build tests for functionality
  - some autopkgtests
    - i386 failing due to dependencies
- cron jobs?
  - none
- Build logs:
  - trivial lintian warnings, needs cleaning

- Processes spawned?
  - most are in tests
  - exec_in's exec() seems fine, see bandit
  - Popen in autoreload.py and process.py are okay--isolated from user
- Memory management?
  - appears fine
- File IO?
  - mostly in tests or demos
  - web.py's get_content() reads absolute paths
  - WebSocketHandler class has its own open function
  - file reads in templaye.py, options.py, process.py, locale.py are fine
- Logging?
  - many functions to log or raise errors, warnings, and debugging
  - httputil.py defines many error functions
  - logging is well defined in tornado documentation
- Environment variable usage?
  - mostly in wsgi.py
    - WSGIContainer defines it's own environ()
  - autoreload.py calls os.environ["PYTHONPATH"]
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - http goes through python3-pycurl
  - websocket.py's magic value is part of standard
  - uses of SHA-1 in ETags and Sec-WebSocket-Accept are fine
  - uses of random in ETags, Sec-WebScoket-Accept, xsrf, and jitter are fine
- Use of temp files?
  - none
  - templates.py writes lines to temp buffer
- Use of networking?
  - http goes through python3-pycurl
  - heavy use
  - lots of inline comments
  - appears to comply with standards, is defensively written, and covers edgecases
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none

- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - _HTTPRequestContext class defaults to listening on 0.0.0.0 instead of localhost. Unsafe default.

This package should use dh_python.

Downstream developers using Tornado could easily create vulnerabilities in their projects via Tornado templates and exec calls. Dependents of Tornado should be audited for t...

Please note that the follow python-tornado build dependencies are not in lunar main and do not have an open MIR: (1) dh-python, (2) python-mock, and (3) sphinxcontrib-asyncio.

edit: these dependencies are only required for build and do not require an MIR

Showing up in component mismatch now as planned.

Promoted together with the full PCS stack, details see https://bugs.launchpad.net/ubuntu/+source/pcs/+bug/1953341/comments/13