[MIR] heat

FYI, python-sendfile also needs a MIR.

Sendfile will be dropped in the next upload.

MIR review:
* Does it FTBFS currently? no
* Does it have a test suite? yes, though a handful of tests are skipped in debian/patches/skip-tests.patch
* Does it have a team bug subscriber? yes, ubuntu-server
* If it's a Python package, does it use dh_python? yes
* If it's a Python package going on the desktop CD, will it pull in Python 2? python2, but not desktop
* Does Ubuntu carry a delta? Ubuntu maintains its own OpenStack packages and is ahead of Debian
* Does it have a watch file? yes
* Is its update history slow or sporadic? it is updated with the rest of OpenStack (ie, Ubuntu and OpenStack release schedules are in sync)
* Is the current release packaged? yes
* Will entering main make it harder for the people currently keeping it up to date? no
* Lintian warnings: source and binaries have ignorable lintian issues
* Is debian/rules a mess? modern dh
* Errors/warnings during the build: quite a few DeprecationWarnings, but since this is py2 and there shouldn't be a py2.8, this shouldn't be a problem for maintenance

Would be nice to have a man page for /usr/bin/heat-manage, but this doesn't block the MIR
/etc/heat is 755 with files that may contain passwords. Should this be 0750 instead like with other OpenStack packages?

MIR team conditional ACK provided python-sendfile dependency is removed.

Security review. This is only the highest level review and was not an in depth code audit.

The two CVEs are already fixed in trusty. CVE-2013-6426 was pretty extensive since it had to implement missing policy enforcement in CFN API. CVE-2013-6428 was much more reasonable. High level review shows that heat is supportable for main.

build_userdata() in ./heat/engine/resources/nova_utils.py is supposed to be used by cloud-init and in part sets up a user using something like this in boothook.sh:
useradd -m <instance_user>
echo -e '<instance_user>\tALL=(ALL)\tNOPASSWD: ALL' >> /etc/sudoers

Updating sudoers in this manner is not ideal. Better for Ubuntu systems is to update a file in /etc/sudoers.d/ (which is supported at least as far back as 12.04 LTS). Is heat on Ubuntu supposed to be capable of orchestrating non-Ubuntu servers? If not, should this be updated to use /etc/sudoers.d/heat-instance-user (or similar)?

Actually, this was meant to be in the security team portion of the review:

/etc/heat is 755 with files that may contain passwords. Should this be 0750 instead like with other OpenStack packages?

Chuck and I discussed this on IRC. He is going to fix those issues. Marking as 'In Progress'.

This bug was fixed in the package heat - 2014.1~rc2-0ubuntu3

---------------
heat (2014.1~rc2-0ubuntu3) trusty; urgency=medium

  * debian/heat-common.postinst: Fix failing autopkg test.
 -- Chuck Short <email address hidden> Mon, 14 Apr 2014 13:36:05 -0400

@Jamie, I see Chuck has done an upload suppoaidly Closing this. Can you take another check to see if you are satisifed?

Thanks

The chmod occurs before the mkdir. I pinged zul in IRC and he said it will be fixed in the next upload.

This bug was fixed in the package heat - 2014.1-0ubuntu1

---------------
heat (2014.1-0ubuntu1) trusty; urgency=medium

  [ Chuck Short ]
  * New upstream release. (LP: #1299055)
  * debian/heat-common.postinst: Create directory before changing
    permissions. (LP: #1267557)

  [ Corey Bryant ]
  * New upstream release (LP: #1299055).
 -- Chuck Short <email address hidden> Thu, 17 Apr 2014 07:27:41 -0400