From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 01/23] python3-cryptography: Update to version 36.0.2
Date: Fri, 17 Jun 2022 12:00:42 +0200
Message-ID: <be339fc4-387b-0cd8-7993-76edc1182ada@ipfire.org>
In-Reply-To: <20220617094243.6422-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1451881149906542962=="
List-Id: <development.lists.ipfire.org>

--===============1451881149906542962==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Dear All,

For information this patch series can wait till CU170. It is not an urgent ne=
ed to update in CU169.

Regards,
Adolf.

On 17/06/2022 11:42, Adolf Belka wrote:
> - Update from version 3.4.7 to 36.0.2
>     After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021
>     See Chanelog section 35.0.0 below
> - New release requires a lot of rust packages - see Changelog sections 35.0=
.0 & 36.0.0
>     below. The required rust packages are installed in separate patches in =
this series
> - Update of rootfile
> - Changelog
> 	36.0.2 - 2022-03-15=C2=B6
> 	    Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1=
.1.1n.
> 	36.0.1 - 2021-12-14=C2=B6
> 	    Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1=
.1.1m.
> 	36.0.0 - 2021-11-21=C2=B6
> 	    FINAL DEPRECATION Support for verifier and signer on our asymmetric key
>               classes was deprecated in version 2.0. These functions had an=
 extended
>               deprecation due to usage, however the next version of cryptog=
raphy will drop
>               support. Users should migrate to sign and verify.
> 	    The entire X.509 layer is now written in Rust. This allows alternate
>               asymmetric key implementations that can support cloud key man=
agement
>               services or hardware security modules provided they implement=
 the necessary
>               interface (for example: EllipticCurvePrivateKey).
> 	    Deprecated the backend argument for all functions.
> 	    Added support for AESOCB3.
> 	    Added support for iterating over arbitrary request attributes.
> 	    Deprecated the get_attribute_for_oid method on CertificateSigningReque=
st in
>               favor of get_attribute_for_oid() on the new Attributes object.
> 	    Fixed handling of PEM files to allow loading when certificate and key =
are in
>               the same file.
> 	    Fixed parsing of CertificatePolicies extensions containing legacy BMPS=
tring
>               values in their explicitText.
> 	    Allow parsing of negative serial numbers in certificates. Negative ser=
ial
>               numbers are prohibited by RFC 5280 so a deprecation warning w=
ill be raised
>               whenever they are encountered. A future version of cryptograp=
hy will drop
>               support for parsing them.
> 	    Added support for parsing PKCS12 files with friendly names for all
>               certificates with load_pkcs12(), which will return an object =
of type
>               PKCS12KeyAndCertificates.
> 	    rfc4514_string() and related methods now have an optional attr_name_ov=
errides
>               parameter to supply custom OID to name mappings, which can be=
 used to match
>               vendor-specific extensions.
> 	    BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email a=
ddress
>               fields as E in rfc4514_string() methods from version 35.0.
> 	    The previous behavior can be restored with:
>               name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
> 	    Allow X25519PublicKey and X448PublicKey to be used as public keys when
>               parsing certificates or creating them with CertificateBuilder=
. These key
>               types must be signed with a different signing algorithm as X2=
5519 and X448
>               do not support signing.
> 	    Extension values can now be serialized to a DER byte string by calling
>               public_bytes().
> 	    Added experimental support for compiling against BoringSSL. As BoringS=
SL
>               does not commit to a stable API, cryptography tests against t=
he latest
>               commit only. Please note that several features are not availa=
ble when
>               building against BoringSSL.
> 	    Parsing CertificateSigningRequest from DER and PEM now, for a limited =
time
>               period, allows the Extension critical field to be incorrectly=
 encoded. See
>               the issue for complete details. This will be reverted in a fu=
ture
>               cryptography release.
> 	    When OCSPNonce are parsed and generated their value is now correctly w=
rapped
>               in an ASN.1 OCTET STRING. This conforms to RFC 6960 but confl=
icts with the
>               original behavior specified in RFC 2560. For a temporary peri=
od for
>               backwards compatibility, we will also parse values that are e=
ncoded as
>               specified in RFC 2560 but this behavior will be removed in a =
future release.
> 	35.0.0 - 2021-09-29=C2=B6
> 	    Changed the version scheme. This will result in us incrementing the ma=
jor
>               version more frequently, but does not change our existing bac=
kwards
>               compatibility policy.
> 	    BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM
>               string passed have PEM delimiters of the correct type. For ex=
ample, parsing
>               a private key PEM concatenated with a certificate PEM will no=
 longer be
>               accepted by the PEM certificate parser.
> 	    BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
>               negative serial numbers. RFC 5280 has always prohibited these.
> 	    BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during=
 X.509
>               parsing will raise an error on initial parse rather than when=
 the malformed
>               field is accessed.
> 	    Rust is now required for building cryptography, the
>               CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longe=
r respected.
> 	    Parsers for X.509 no longer use OpenSSL and have been rewritten in Rus=
t.
>               This should be backwards compatible (modulo the items listed =
above) and
>               improve both security and performance.
> 	    Added support for OpenSSL 3.0.0 as a compilation target.
> 	    Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorit=
hms
>               are provided for compatibility in regions where they may be r=
equired, and
>               are not generally recommended.
> 	    We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our
>               manylinux2010 and manylinux2014 wheels. Users on distribution=
s like Alpine
>               Linux should ensure they upgrade to the latest pip to correct=
ly receive
>               wheels.
> 	    Added rfc4514_attribute_name attribute to x509.NameAttribute.
> 	    Added KBKDFCMAC.
> 	3.4.8 - 2021-08-24=C2=B6
> 	    Updated Windows, macOS, and manylinux wheels to be compiled with
>               OpenSSL 1.1.1l.
>=20
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   .../rootfiles/packages/python3-cryptography   | 25 ++++++++++---------
>   lfs/python3-cryptography                      |  6 ++---
>   2 files changed, 16 insertions(+), 15 deletions(-)
>=20
> diff --git a/config/rootfiles/packages/python3-cryptography b/config/rootfi=
les/packages/python3-cryptography
> index 9f63606fb..a9ee32faf 100644
> --- a/config/rootfiles/packages/python3-cryptography
> +++ b/config/rootfiles/packages/python3-cryptography
> @@ -1,20 +1,18 @@
>   usr/lib/python3.10/site-packages/cryptography
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/PKG-I=
NFO
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/SOURC=
ES.txt
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/depen=
dency_links.txt
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/not-z=
ip-safe
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/requi=
res.txt
> -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/top_l=
evel.txt
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/PKG-=
INFO
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/SOUR=
CES.txt
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/depe=
ndency_links.txt
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/not-=
zip-safe
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/requ=
ires.txt
> +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/top_=
level.txt
>   usr/lib/python3.10/site-packages/cryptography/__about__.py
>   usr/lib/python3.10/site-packages/cryptography/__init__.py
>   usr/lib/python3.10/site-packages/cryptography/exceptions.py
>   usr/lib/python3.10/site-packages/cryptography/fernet.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat
>   usr/lib/python3.10/site-packages/cryptography/hazmat/__init__.py
> -usr/lib/python3.10/site-packages/cryptography/hazmat/_der.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/_oid.py
> -usr/lib/python3.10/site-packages/cryptography/hazmat/_types.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/__init__.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/interfaces.=
py
> @@ -33,7 +31,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/back=
ends/openssl/ed448.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/enc=
ode_asn1.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/has=
hes.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/hma=
c.py
> -usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ocsp=
.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/pol=
y1305.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/rsa=
.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/uti=
ls.py
> @@ -43,8 +40,12 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/bac=
kends/openssl/x509.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/__init__.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_openssl.ab=
i3.so
> -usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_padding.abi=
3.so
> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust.abi3.=
so
> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/__init=
__.pyi
> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/asn1.p=
yi
> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/ocsp.p=
yi
> +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/x509.p=
yi
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/__i=
nit__.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/_co=
nditional.py
> @@ -63,6 +64,7 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/prim=
itives/asymmetric/ed255
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri=
c/ed448.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri=
c/padding.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri=
c/rsa.py
> +usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric=
/types.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri=
c/utils.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri=
c/x25519.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetri=
c/x448.py
> @@ -97,7 +99,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/prim=
itives/twofactor
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor=
/__init__.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor=
/hotp.py
>   usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor=
/totp.py
> -usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/=
utils.py
>   usr/lib/python3.10/site-packages/cryptography/py.typed
>   usr/lib/python3.10/site-packages/cryptography/utils.py
>   usr/lib/python3.10/site-packages/cryptography/x509
> diff --git a/lfs/python3-cryptography b/lfs/python3-cryptography
> index f3090bc6a..77e5f06b0 100644
> --- a/lfs/python3-cryptography
> +++ b/lfs/python3-cryptography
> @@ -24,7 +24,7 @@
>  =20
>   include Config
>  =20
> -VER        =3D 3.4.7
> +VER        =3D 36.0.2
>  =20
>   THISAPP    =3D cryptography-$(VER)
>   DL_FILE    =3D $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM    =3D $(URL_IPFIRE)
>   DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
>   TARGET     =3D $(DIR_INFO)/$(THISAPP)
>   PROG       =3D python3-cryptography
> -PAK_VER    =3D 1
> +PAK_VER    =3D 2
>  =20
>   DEPS       =3D python3-cffi
>  =20
> @@ -46,7 +46,7 @@ objects =3D $(DL_FILE)
>  =20
>   $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>  =20
> -$(DL_FILE)_BLAKE2 =3D 49bc1e098ed1ba0181059b645f6668cda6332d196eaca55270eb=
ce6e07e5bb6ab6724c5050fde20e89b7025773960d74ec782bb875badbbd5dc9a04db0a536f1
> +$(DL_FILE)_BLAKE2 =3D b34b994e44b1ccd099a56fba4a167d563a29652f86ab0f0000ef=
78b4093a15cbfb82a9cebecdcaf6bca782a5fdd20f6c7d2206d68a219626a9fe8ae13e9aec5e
>  =20
>   install : $(TARGET)
>  =20

--===============1451881149906542962==--