On Sat, Aug 17, 2024 at 01:07:13AM +0200, Tobias Gruetzmacher wrote: > Package: python3-cryptography > Version: 42.0.5-2+b1 > Followup-For: Bug #1078747 > > Hi, > > This was caused by the recent split of legacy providers from the main > OpenSSL package. Installing openssl-provider-legacy "fixes" the error. > These are the aloorithms considered "legacy": > > Hashing: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 > Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4, RC5, SEED > KDF: PBKDF1, PVKKDF > (From > https://manpages.debian.org/bookworm/openssl/OSSL_PROVIDER-legacy.7ssl.en.html) > > Some of the software I tried works with setting > CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1, because they obviously don't use any > of the legacy algorithms... > > I wonder if this really needs to be a hard fail in Debian? Or do we want > to patch every cryptography-using tool with a line like > > os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = "1" > > to "promise" not to require the legacy ciphers? And every package which > needs these ciphers must add a dependency on openssl-provider-legacy? > > I currently don't have a good solution. Making python3-cryptography > depend on openssl-provider-legacy feels kinda wrong to me...
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965041#50 and below. -- WBR, wRAR
signature.asc
Description: PGP signature
