Oh wow. 23 patches.
That looks like a lot of work!
Thank you for this. I will not tag them all individually if that is okay :)
-Michael
> On 17 Jun 2022, at 11:00, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Dear All,
>
> For information this patch series can wait till CU170. It is not an urgent need to update in CU169.
>
> Regards,
> Adolf.
>
> On 17/06/2022 11:42, Adolf Belka wrote:
>> - Update from version 3.4.7 to 36.0.2
>> After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021
>> See Chanelog section 35.0.0 below
>> - New release requires a lot of rust packages - see Changelog sections 35.0.0 & 36.0.0
>> below. The required rust packages are installed in separate patches in this series
>> - Update of rootfile
>> - Changelog
>> 36.0.2 - 2022-03-15¶
>> Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
>> 36.0.1 - 2021-12-14¶
>> Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
>> 36.0.0 - 2021-11-21¶
>> FINAL DEPRECATION Support for verifier and signer on our asymmetric key
>> classes was deprecated in version 2.0. These functions had an extended
>> deprecation due to usage, however the next version of cryptography will drop
>> support. Users should migrate to sign and verify.
>> The entire X.509 layer is now written in Rust. This allows alternate
>> asymmetric key implementations that can support cloud key management
>> services or hardware security modules provided they implement the necessary
>> interface (for example: EllipticCurvePrivateKey).
>> Deprecated the backend argument for all functions.
>> Added support for AESOCB3.
>> Added support for iterating over arbitrary request attributes.
>> Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
>> favor of get_attribute_for_oid() on the new Attributes object.
>> Fixed handling of PEM files to allow loading when certificate and key are in
>> the same file.
>> Fixed parsing of CertificatePolicies extensions containing legacy BMPString
>> values in their explicitText.
>> Allow parsing of negative serial numbers in certificates. Negative serial
>> numbers are prohibited by RFC 5280 so a deprecation warning will be raised
>> whenever they are encountered. A future version of cryptography will drop
>> support for parsing them.
>> Added support for parsing PKCS12 files with friendly names for all
>> certificates with load_pkcs12(), which will return an object of type
>> PKCS12KeyAndCertificates.
>> rfc4514_string() and related methods now have an optional attr_name_overrides
>> parameter to supply custom OID to name mappings, which can be used to match
>> vendor-specific extensions.
>> BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address
>> fields as E in rfc4514_string() methods from version 35.0.
>> The previous behavior can be restored with:
>> name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
>> Allow X25519PublicKey and X448PublicKey to be used as public keys when
>> parsing certificates or creating them with CertificateBuilder. These key
>> types must be signed with a different signing algorithm as X25519 and X448
>> do not support signing.
>> Extension values can now be serialized to a DER byte string by calling
>> public_bytes().
>> Added experimental support for compiling against BoringSSL. As BoringSSL
>> does not commit to a stable API, cryptography tests against the latest
>> commit only. Please note that several features are not available when
>> building against BoringSSL.
>> Parsing CertificateSigningRequest from DER and PEM now, for a limited time
>> period, allows the Extension critical field to be incorrectly encoded. See
>> the issue for complete details. This will be reverted in a future
>> cryptography release.
>> When OCSPNonce are parsed and generated their value is now correctly wrapped
>> in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the
>> original behavior specified in RFC 2560. For a temporary period for
>> backwards compatibility, we will also parse values that are encoded as
>> specified in RFC 2560 but this behavior will be removed in a future release.
>> 35.0.0 - 2021-09-29¶
>> Changed the version scheme. This will result in us incrementing the major
>> version more frequently, but does not change our existing backwards
>> compatibility policy.
>> BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM
>> string passed have PEM delimiters of the correct type. For example, parsing
>> a private key PEM concatenated with a certificate PEM will no longer be
>> accepted by the PEM certificate parser.
>> BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
>> negative serial numbers. RFC 5280 has always prohibited these.
>> BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509
>> parsing will raise an error on initial parse rather than when the malformed
>> field is accessed.
>> Rust is now required for building cryptography, the
>> CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.
>> Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust.
>> This should be backwards compatible (modulo the items listed above) and
>> improve both security and performance.
>> Added support for OpenSSL 3.0.0 as a compilation target.
>> Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms
>> are provided for compatibility in regions where they may be required, and
>> are not generally recommended.
>> We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our
>> manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine
>> Linux should ensure they upgrade to the latest pip to correctly receive
>> wheels.
>> Added rfc4514_attribute_name attribute to x509.NameAttribute.
>> Added KBKDFCMAC.
>> 3.4.8 - 2021-08-24¶
>> Updated Windows, macOS, and manylinux wheels to be compiled with
>> OpenSSL 1.1.1l.
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> .../rootfiles/packages/python3-cryptography | 25 ++++++++++---------
>> lfs/python3-cryptography | 6 ++---
>> 2 files changed, 16 insertions(+), 15 deletions(-)
>> diff --git a/config/rootfiles/packages/python3-cryptography b/config/rootfiles/packages/python3-cryptography
>> index 9f63606fb..a9ee32faf 100644
>> --- a/config/rootfiles/packages/python3-cryptography
>> +++ b/config/rootfiles/packages/python3-cryptography
>> @@ -1,20 +1,18 @@
>> usr/lib/python3.10/site-packages/cryptography
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/PKG-INFO
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/SOURCES.txt
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/dependency_links.txt
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/not-zip-safe
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/requires.txt
>> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/top_level.txt
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/PKG-INFO
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/SOURCES.txt
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/dependency_links.txt
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/not-zip-safe
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/requires.txt
>> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/top_level.txt
>> usr/lib/python3.10/site-packages/cryptography/__about__.py
>> usr/lib/python3.10/site-packages/cryptography/__init__.py
>> usr/lib/python3.10/site-packages/cryptography/exceptions.py
>> usr/lib/python3.10/site-packages/cryptography/fernet.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat
>> usr/lib/python3.10/site-packages/cryptography/hazmat/__init__.py
>> -usr/lib/python3.10/site-packages/cryptography/hazmat/_der.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/_oid.py
>> -usr/lib/python3.10/site-packages/cryptography/hazmat/_types.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/__init__.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/interfaces.py
>> @@ -33,7 +31,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ed448.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/encode_asn1.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/hashes.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/hmac.py
>> -usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ocsp.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/poly1305.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/rsa.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/utils.py
>> @@ -43,8 +40,12 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/x509.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/__init__.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so
>> -usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_padding.abi3.so
>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust.abi3.so
>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/__init__.pyi
>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/asn1.pyi
>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/ocsp.pyi
>> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/x509.pyi
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/__init__.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/_conditional.py
>> @@ -63,6 +64,7 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/ed255
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/ed448.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/padding.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/rsa.py
>> +usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/types.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/utils.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/x448.py
>> @@ -97,7 +99,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/__init__.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/hotp.py
>> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/totp.py
>> -usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/utils.py
>> usr/lib/python3.10/site-packages/cryptography/py.typed
>> usr/lib/python3.10/site-packages/cryptography/utils.py
>> usr/lib/python3.10/site-packages/cryptography/x509
>> diff --git a/lfs/python3-cryptography b/lfs/python3-cryptography
>> index f3090bc6a..77e5f06b0 100644
>> --- a/lfs/python3-cryptography
>> +++ b/lfs/python3-cryptography
>> @@ -24,7 +24,7 @@
>> include Config
>> -VER = 3.4.7
>> +VER = 36.0.2
>> THISAPP = cryptography-$(VER)
>> DL_FILE = $(THISAPP).tar.gz
>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
>> DIR_APP = $(DIR_SRC)/$(THISAPP)
>> TARGET = $(DIR_INFO)/$(THISAPP)
>> PROG = python3-cryptography
>> -PAK_VER = 1
>> +PAK_VER = 2
>> DEPS = python3-cffi
>> @@ -46,7 +46,7 @@ objects = $(DL_FILE)
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>> -$(DL_FILE)_BLAKE2 = 49bc1e098ed1ba0181059b645f6668cda6332d196eaca55270ebce6e07e5bb6ab6724c5050fde20e89b7025773960d74ec782bb875badbbd5dc9a04db0a536f1
>> +$(DL_FILE)_BLAKE2 = b34b994e44b1ccd099a56fba4a167d563a29652f86ab0f0000ef78b4093a15cbfb82a9cebecdcaf6bca782a5fdd20f6c7d2206d68a219626a9fe8ae13e9aec5e
>> install : $(TARGET)
>>