From mboxrd@z Thu Jan 1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 01/23] python3-cryptography: Update to version 36.0.2
Date: Fri, 17 Jun 2022 13:10:09 +0200
Message-ID: <07306f51-8b53-70fa-cca5-167160d00f59@ipfire.org>
In-Reply-To: <38C1743E-FF5E-4640-BB2C-CFF9A7F00D94@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4092454495351202283=="
List-Id: <development.lists.ipfire.org>
--===============4092454495351202283==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
On 17/06/2022 12:14, Michael Tremer wrote:
> Oh wow. 23 patches.
and would have been 26 patches without your help on removing the windows requ=
irements.
>=20
> That looks like a lot of work!
>=20
> Thank you for this. I will not tag them all individually if that is okay :)
That is fine by me :-)
>=20
> -Michael
>=20
>> On 17 Jun 2022, at 11:00, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>
>> Dear All,
>>
>> For information this patch series can wait till CU170. It is not an urgent=
need to update in CU169.
>>
>> Regards,
>> Adolf.
>>
>> On 17/06/2022 11:42, Adolf Belka wrote:
>>> - Update from version 3.4.7 to 36.0.2
>>> After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 20=
21
>>> See Chanelog section 35.0.0 below
>>> - New release requires a lot of rust packages - see Changelog sections 35=
.0.0 & 36.0.0
>>> below. The required rust packages are installed in separate patches i=
n this series
>>> - Update of rootfile
>>> - Changelog
>>> 36.0.2 - 2022-03-15=C2=B6
>>> Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL=
1.1.1n.
>>> 36.0.1 - 2021-12-14=C2=B6
>>> Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL=
1.1.1m.
>>> 36.0.0 - 2021-11-21=C2=B6
>>> FINAL DEPRECATION Support for verifier and signer on our asymmetric =
key
>>> classes was deprecated in version 2.0. These functions had =
an extended
>>> deprecation due to usage, however the next version of crypt=
ography will drop
>>> support. Users should migrate to sign and verify.
>>> The entire X.509 layer is now written in Rust. This allows alternate
>>> asymmetric key implementations that can support cloud key m=
anagement
>>> services or hardware security modules provided they impleme=
nt the necessary
>>> interface (for example: EllipticCurvePrivateKey).
>>> Deprecated the backend argument for all functions.
>>> Added support for AESOCB3.
>>> Added support for iterating over arbitrary request attributes.
>>> Deprecated the get_attribute_for_oid method on CertificateSigningReq=
uest in
>>> favor of get_attribute_for_oid() on the new Attributes obje=
ct.
>>> Fixed handling of PEM files to allow loading when certificate and ke=
y are in
>>> the same file.
>>> Fixed parsing of CertificatePolicies extensions containing legacy BM=
PString
>>> values in their explicitText.
>>> Allow parsing of negative serial numbers in certificates. Negative s=
erial
>>> numbers are prohibited by RFC 5280 so a deprecation warning=
will be raised
>>> whenever they are encountered. A future version of cryptogr=
aphy will drop
>>> support for parsing them.
>>> Added support for parsing PKCS12 files with friendly names for all
>>> certificates with load_pkcs12(), which will return an objec=
t of type
>>> PKCS12KeyAndCertificates.
>>> rfc4514_string() and related methods now have an optional attr_name_=
overrides
>>> parameter to supply custom OID to name mappings, which can =
be used to match
>>> vendor-specific extensions.
>>> BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email=
address
>>> fields as E in rfc4514_string() methods from version 35.0.
>>> The previous behavior can be restored with:
>>> name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
>>> Allow X25519PublicKey and X448PublicKey to be used as public keys wh=
en
>>> parsing certificates or creating them with CertificateBuild=
er. These key
>>> types must be signed with a different signing algorithm as =
X25519 and X448
>>> do not support signing.
>>> Extension values can now be serialized to a DER byte string by calli=
ng
>>> public_bytes().
>>> Added experimental support for compiling against BoringSSL. As Borin=
gSSL
>>> does not commit to a stable API, cryptography tests against=
the latest
>>> commit only. Please note that several features are not avai=
lable when
>>> building against BoringSSL.
>>> Parsing CertificateSigningRequest from DER and PEM now, for a limite=
d time
>>> period, allows the Extension critical field to be incorrect=
ly encoded. See
>>> the issue for complete details. This will be reverted in a =
future
>>> cryptography release.
>>> When OCSPNonce are parsed and generated their value is now correctly=
wrapped
>>> in an ASN.1 OCTET STRING. This conforms to RFC 6960 but con=
flicts with the
>>> original behavior specified in RFC 2560. For a temporary pe=
riod for
>>> backwards compatibility, we will also parse values that are=
encoded as
>>> specified in RFC 2560 but this behavior will be removed in =
a future release.
>>> 35.0.0 - 2021-09-29=C2=B6
>>> Changed the version scheme. This will result in us incrementing the =
major
>>> version more frequently, but does not change our existing b=
ackwards
>>> compatibility policy.
>>> BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the P=
EM
>>> string passed have PEM delimiters of the correct type. For =
example, parsing
>>> a private key PEM concatenated with a certificate PEM will =
no longer be
>>> accepted by the PEM certificate parser.
>>> BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
>>> negative serial numbers. RFC 5280 has always prohibited the=
se.
>>> BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found duri=
ng X.509
>>> parsing will raise an error on initial parse rather than wh=
en the malformed
>>> field is accessed.
>>> Rust is now required for building cryptography, the
>>> CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no lon=
ger respected.
>>> Parsers for X.509 no longer use OpenSSL and have been rewritten in R=
ust.
>>> This should be backwards compatible (modulo the items liste=
d above) and
>>> improve both security and performance.
>>> Added support for OpenSSL 3.0.0 as a compilation target.
>>> Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algor=
ithms
>>> are provided for compatibility in regions where they may be=
required, and
>>> are not generally recommended.
>>> We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to =
our
>>> manylinux2010 and manylinux2014 wheels. Users on distributi=
ons like Alpine
>>> Linux should ensure they upgrade to the latest pip to corre=
ctly receive
>>> wheels.
>>> Added rfc4514_attribute_name attribute to x509.NameAttribute.
>>> Added KBKDFCMAC.
>>> 3.4.8 - 2021-08-24=C2=B6
>>> Updated Windows, macOS, and manylinux wheels to be compiled with
>>> OpenSSL 1.1.1l.
>>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>>> ---
>>> .../rootfiles/packages/python3-cryptography | 25 ++++++++++---------
>>> lfs/python3-cryptography | 6 ++---
>>> 2 files changed, 16 insertions(+), 15 deletions(-)
>>> diff --git a/config/rootfiles/packages/python3-cryptography b/config/root=
files/packages/python3-cryptography
>>> index 9f63606fb..a9ee32faf 100644
>>> --- a/config/rootfiles/packages/python3-cryptography
>>> +++ b/config/rootfiles/packages/python3-cryptography
>>> @@ -1,20 +1,18 @@
>>> usr/lib/python3.10/site-packages/cryptography
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/PKG=
-INFO
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/SOU=
RCES.txt
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/dep=
endency_links.txt
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/not=
-zip-safe
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/req=
uires.txt
>>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/top=
_level.txt
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/PK=
G-INFO
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/SO=
URCES.txt
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/de=
pendency_links.txt
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/no=
t-zip-safe
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/re=
quires.txt
>>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/to=
p_level.txt
>>> usr/lib/python3.10/site-packages/cryptography/__about__.py
>>> usr/lib/python3.10/site-packages/cryptography/__init__.py
>>> usr/lib/python3.10/site-packages/cryptography/exceptions.py
>>> usr/lib/python3.10/site-packages/cryptography/fernet.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/__init__.py
>>> -usr/lib/python3.10/site-packages/cryptography/hazmat/_der.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/_oid.py
>>> -usr/lib/python3.10/site-packages/cryptography/hazmat/_types.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/__init__.=
py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/interface=
s.py
>>> @@ -33,7 +31,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/ba=
ckends/openssl/ed448.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/e=
ncode_asn1.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/h=
ashes.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/h=
mac.py
>>> -usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/oc=
sp.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/p=
oly1305.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/r=
sa.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/u=
tils.py
>>> @@ -43,8 +40,12 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/b=
ackends/openssl/x509.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/__init__.=
py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_openssl.=
abi3.so
>>> -usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_padding.a=
bi3.so
>>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust.abi=
3.so
>>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/__in=
it__.pyi
>>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/asn1=
.pyi
>>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/ocsp=
.pyi
>>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/x509=
.pyi
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/_=
_init__.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/_=
conditional.py
>>> @@ -63,6 +64,7 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/pr=
imitives/asymmetric/ed255
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmet=
ric/ed448.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmet=
ric/padding.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmet=
ric/rsa.py
>>> +usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetr=
ic/types.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmet=
ric/utils.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmet=
ric/x25519.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmet=
ric/x448.py
>>> @@ -97,7 +99,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/pr=
imitives/twofactor
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofact=
or/__init__.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofact=
or/hotp.py
>>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofact=
or/totp.py
>>> -usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofacto=
r/utils.py
>>> usr/lib/python3.10/site-packages/cryptography/py.typed
>>> usr/lib/python3.10/site-packages/cryptography/utils.py
>>> usr/lib/python3.10/site-packages/cryptography/x509
>>> diff --git a/lfs/python3-cryptography b/lfs/python3-cryptography
>>> index f3090bc6a..77e5f06b0 100644
>>> --- a/lfs/python3-cryptography
>>> +++ b/lfs/python3-cryptography
>>> @@ -24,7 +24,7 @@
>>> include Config
>>> -VER =3D 3.4.7
>>> +VER =3D 36.0.2
>>> THISAPP =3D cryptography-$(VER)
>>> DL_FILE =3D $(THISAPP).tar.gz
>>> @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE)
>>> DIR_APP =3D $(DIR_SRC)/$(THISAPP)
>>> TARGET =3D $(DIR_INFO)/$(THISAPP)
>>> PROG =3D python3-cryptography
>>> -PAK_VER =3D 1
>>> +PAK_VER =3D 2
>>> DEPS =3D python3-cffi
>>> @@ -46,7 +46,7 @@ objects =3D $(DL_FILE)
>>> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>> -$(DL_FILE)_BLAKE2 =3D 49bc1e098ed1ba0181059b645f6668cda6332d196eaca552=
70ebce6e07e5bb6ab6724c5050fde20e89b7025773960d74ec782bb875badbbd5dc9a04db0a53=
6f1
>>> +$(DL_FILE)_BLAKE2 =3D b34b994e44b1ccd099a56fba4a167d563a29652f86ab0f0000=
ef78b4093a15cbfb82a9cebecdcaf6bca782a5fdd20f6c7d2206d68a219626a9fe8ae13e9aec5e
>>> install : $(TARGET)
>>> =20
>=20
--===============4092454495351202283==--