From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 01/23] python3-cryptography: Update to version 36.0.2 Date: Fri, 17 Jun 2022 11:14:25 +0100 Message-ID: <38C1743E-FF5E-4640-BB2C-CFF9A7F00D94@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8923886209247949141==" List-Id: --===============8923886209247949141== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Oh wow. 23 patches. That looks like a lot of work! Thank you for this. I will not tag them all individually if that is okay :) -Michael > On 17 Jun 2022, at 11:00, Adolf Belka wrote: >=20 > Dear All, >=20 > For information this patch series can wait till CU170. It is not an urgent = need to update in CU169. >=20 > Regards, > Adolf. >=20 > On 17/06/2022 11:42, Adolf Belka wrote: >> - Update from version 3.4.7 to 36.0.2 >> After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021 >> See Chanelog section 35.0.0 below >> - New release requires a lot of rust packages - see Changelog sections 35.= 0.0 & 36.0.0 >> below. The required rust packages are installed in separate patches in = this series >> - Update of rootfile >> - Changelog >> 36.0.2 - 2022-03-15=C2=B6 >> Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL = 1.1.1n. >> 36.0.1 - 2021-12-14=C2=B6 >> Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL = 1.1.1m. >> 36.0.0 - 2021-11-21=C2=B6 >> FINAL DEPRECATION Support for verifier and signer on our asymmetric k= ey >> classes was deprecated in version 2.0. These functions had an= extended >> deprecation due to usage, however the next version of cryptog= raphy will drop >> support. Users should migrate to sign and verify. >> The entire X.509 layer is now written in Rust. This allows alternate >> asymmetric key implementations that can support cloud key man= agement >> services or hardware security modules provided they implement= the necessary >> interface (for example: EllipticCurvePrivateKey). >> Deprecated the backend argument for all functions. >> Added support for AESOCB3. >> Added support for iterating over arbitrary request attributes. >> Deprecated the get_attribute_for_oid method on CertificateSigningRequ= est in >> favor of get_attribute_for_oid() on the new Attributes object. >> Fixed handling of PEM files to allow loading when certificate and key= are in >> the same file. >> Fixed parsing of CertificatePolicies extensions containing legacy BMP= String >> values in their explicitText. >> Allow parsing of negative serial numbers in certificates. Negative se= rial >> numbers are prohibited by RFC 5280 so a deprecation warning w= ill be raised >> whenever they are encountered. A future version of cryptograp= hy will drop >> support for parsing them. >> Added support for parsing PKCS12 files with friendly names for all >> certificates with load_pkcs12(), which will return an object = of type >> PKCS12KeyAndCertificates. >> rfc4514_string() and related methods now have an optional attr_name_o= verrides >> parameter to supply custom OID to name mappings, which can be= used to match >> vendor-specific extensions. >> BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email = address >> fields as E in rfc4514_string() methods from version 35.0. >> The previous behavior can be restored with: >> name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"}) >> Allow X25519PublicKey and X448PublicKey to be used as public keys when >> parsing certificates or creating them with CertificateBuilder= . These key >> types must be signed with a different signing algorithm as X2= 5519 and X448 >> do not support signing. >> Extension values can now be serialized to a DER byte string by calling >> public_bytes(). >> Added experimental support for compiling against BoringSSL. As Boring= SSL >> does not commit to a stable API, cryptography tests against t= he latest >> commit only. Please note that several features are not availa= ble when >> building against BoringSSL. >> Parsing CertificateSigningRequest from DER and PEM now, for a limited= time >> period, allows the Extension critical field to be incorrectly= encoded. See >> the issue for complete details. This will be reverted in a fu= ture >> cryptography release. >> When OCSPNonce are parsed and generated their value is now correctly = wrapped >> in an ASN.1 OCTET STRING. This conforms to RFC 6960 but confl= icts with the >> original behavior specified in RFC 2560. For a temporary peri= od for >> backwards compatibility, we will also parse values that are e= ncoded as >> specified in RFC 2560 but this behavior will be removed in a = future release. >> 35.0.0 - 2021-09-29=C2=B6 >> Changed the version scheme. This will result in us incrementing the m= ajor >> version more frequently, but does not change our existing bac= kwards >> compatibility policy. >> BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM >> string passed have PEM delimiters of the correct type. For ex= ample, parsing >> a private key PEM concatenated with a certificate PEM will no= longer be >> accepted by the PEM certificate parser. >> BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows >> negative serial numbers. RFC 5280 has always prohibited these. >> BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found durin= g X.509 >> parsing will raise an error on initial parse rather than when= the malformed >> field is accessed. >> Rust is now required for building cryptography, the >> CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longe= r respected. >> Parsers for X.509 no longer use OpenSSL and have been rewritten in Ru= st. >> This should be backwards compatible (modulo the items listed = above) and >> improve both security and performance. >> Added support for OpenSSL 3.0.0 as a compilation target. >> Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algori= thms >> are provided for compatibility in regions where they may be r= equired, and >> are not generally recommended. >> We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to o= ur >> manylinux2010 and manylinux2014 wheels. Users on distribution= s like Alpine >> Linux should ensure they upgrade to the latest pip to correct= ly receive >> wheels. >> Added rfc4514_attribute_name attribute to x509.NameAttribute. >> Added KBKDFCMAC. >> 3.4.8 - 2021-08-24=C2=B6 >> Updated Windows, macOS, and manylinux wheels to be compiled with >> OpenSSL 1.1.1l. >> Signed-off-by: Adolf Belka >> --- >> .../rootfiles/packages/python3-cryptography | 25 ++++++++++--------- >> lfs/python3-cryptography | 6 ++--- >> 2 files changed, 16 insertions(+), 15 deletions(-) >> diff --git a/config/rootfiles/packages/python3-cryptography b/config/rootf= iles/packages/python3-cryptography >> index 9f63606fb..a9ee32faf 100644 >> --- a/config/rootfiles/packages/python3-cryptography >> +++ b/config/rootfiles/packages/python3-cryptography >> @@ -1,20 +1,18 @@ >> usr/lib/python3.10/site-packages/cryptography >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/PKG-= INFO >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/SOUR= CES.txt >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/depe= ndency_links.txt >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/not-= zip-safe >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/requ= ires.txt >> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/top_= level.txt >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/PKG= -INFO >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/SOU= RCES.txt >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/dep= endency_links.txt >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/not= -zip-safe >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/req= uires.txt >> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/top= _level.txt >> usr/lib/python3.10/site-packages/cryptography/__about__.py >> usr/lib/python3.10/site-packages/cryptography/__init__.py >> usr/lib/python3.10/site-packages/cryptography/exceptions.py >> usr/lib/python3.10/site-packages/cryptography/fernet.py >> usr/lib/python3.10/site-packages/cryptography/hazmat >> usr/lib/python3.10/site-packages/cryptography/hazmat/__init__.py >> -usr/lib/python3.10/site-packages/cryptography/hazmat/_der.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/_oid.py >> -usr/lib/python3.10/site-packages/cryptography/hazmat/_types.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/__init__.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/interfaces.= py >> @@ -33,7 +31,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/bac= kends/openssl/ed448.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/enc= ode_asn1.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/has= hes.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/hma= c.py >> -usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ocs= p.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/pol= y1305.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/rsa= .py >> usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/uti= ls.py >> @@ -43,8 +40,12 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/ba= ckends/openssl/x509.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/__init__.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_openssl.ab= i3.so >> -usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_padding.ab= i3.so >> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust.abi3.= so >> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/__ini= t__.pyi >> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/asn1.= pyi >> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/ocsp.= pyi >> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/x509.= pyi >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/__i= nit__.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/_co= nditional.py >> @@ -63,6 +64,7 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/pri= mitives/asymmetric/ed255 >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/ed448.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/padding.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/rsa.py >> +usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/types.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/utils.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/x25519.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri= c/x448.py >> @@ -97,7 +99,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/pri= mitives/twofactor >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor= /__init__.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor= /hotp.py >> usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor= /totp.py >> -usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor= /utils.py >> usr/lib/python3.10/site-packages/cryptography/py.typed >> usr/lib/python3.10/site-packages/cryptography/utils.py >> usr/lib/python3.10/site-packages/cryptography/x509 >> diff --git a/lfs/python3-cryptography b/lfs/python3-cryptography >> index f3090bc6a..77e5f06b0 100644 >> --- a/lfs/python3-cryptography >> +++ b/lfs/python3-cryptography >> @@ -24,7 +24,7 @@ >> include Config >> -VER =3D 3.4.7 >> +VER =3D 36.0.2 >> THISAPP =3D cryptography-$(VER) >> DL_FILE =3D $(THISAPP).tar.gz >> @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) >> DIR_APP =3D $(DIR_SRC)/$(THISAPP) >> TARGET =3D $(DIR_INFO)/$(THISAPP) >> PROG =3D python3-cryptography >> -PAK_VER =3D 1 >> +PAK_VER =3D 2 >> DEPS =3D python3-cffi >> @@ -46,7 +46,7 @@ objects =3D $(DL_FILE) >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> -$(DL_FILE)_BLAKE2 =3D 49bc1e098ed1ba0181059b645f6668cda6332d196eaca55270= ebce6e07e5bb6ab6724c5050fde20e89b7025773960d74ec782bb875badbbd5dc9a04db0a536f1 >> +$(DL_FILE)_BLAKE2 =3D b34b994e44b1ccd099a56fba4a167d563a29652f86ab0f0000e= f78b4093a15cbfb82a9cebecdcaf6bca782a5fdd20f6c7d2206d68a219626a9fe8ae13e9aec5e >> install : $(TARGET) >> =20 --===============8923886209247949141==--