Your message dated Wed, 11 Dec 2024 09:51:42 +0000
with message-id <e1tljne-00am8v...@fasolo.debian.org>
and subject line Bug#1089664: fixed in python-trustme 1.2.0-1
has caused the Debian Bug report #1089664,
regarding python3-trustme: Causes other packages to FTBFS with pyopenssl 24.3.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1089664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089664
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: python3-trustme
Version: 1.2.0-0.1
Severity: serious
Tags: patch
Control: affects -1 src:python-cheroot
python-cheroot FTBFSes in unstable for a couple of reasons at the
moment, but one of them is that the latest python3-openssl has caused
DeprecationWarnings to show up via python3-trustme. This manifests as
something like this:
_________________________________________________________________________
test_ssl_adapters[pyopenssl]
_________________________________________________________________________
[gw4] linux -- Python 3.13.1 /usr/bin/python3.13
http_request_timeout = 0.1
tls_http_server = functools.partial(<function make_tls_http_server at
0x7fba15dcc180>, request=<SubRequest 'tls_http_server' for <Function
test_ssl_adapters[pyopenssl]>>)
adapter_type = 'pyopenssl', tls_certificate = <trustme.LeafCert object at
0x7fba159274d0>, tls_certificate_chain_pem_path = '/tmp/tmprthmjb0j.pem'
tls_certificate_private_key_pem_path = '/tmp/tmphcv6h1pr.pem',
tls_ca_certificate_pem_path = '/tmp/tmp63qa09j0.pem'
@pytest.mark.parametrize(
'adapter_type',
(
'builtin',
'pyopenssl',
),
)
def test_ssl_adapters(
http_request_timeout,
tls_http_server, adapter_type,
tls_certificate,
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
tls_ca_certificate_pem_path,
):
"""Test ability to connect to server via HTTPS using adapters."""
interface, _host, port = _get_conn_data(ANY_INTERFACE_IPV4)
tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
tls_adapter = tls_adapter_cls(
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
)
if adapter_type == 'pyopenssl':
tls_adapter.context = tls_adapter.get_context()
> tls_certificate.configure_cert(tls_adapter.context)
_host = '0.0.0.0'
adapter_type = 'pyopenssl'
http_request_timeout = 0.1
interface = '127.0.0.1'
port = 0
tls_adapter = <cheroot.ssl.pyopenssl.pyOpenSSLAdapter object at
0x7fba15cbfcb0>
tls_adapter_cls = <class 'cheroot.ssl.pyopenssl.pyOpenSSLAdapter'>
tls_ca_certificate_pem_path = '/tmp/tmp63qa09j0.pem'
tls_certificate = <trustme.LeafCert object at 0x7fba159274d0>
tls_certificate_chain_pem_path = '/tmp/tmprthmjb0j.pem'
tls_certificate_private_key_pem_path = '/tmp/tmphcv6h1pr.pem'
tls_http_server = functools.partial(<function make_tls_http_server at
0x7fba15dcc180>, request=<SubRequest 'tls_http_server' for <Function
test_ssl_adapters[pyopenssl]>>)
cheroot/test/test_ssl.py:212:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _
/usr/lib/python3/dist-packages/trustme/__init__.py:553: in configure_cert
ctx.use_certificate(cert)
FILETYPE_PEM = 1
cert = <OpenSSL.crypto.X509 object at 0x7fba15cbdbe0>
ctx = <OpenSSL.SSL.Context object at 0x7fba15cbe660>
key =
<cryptography.hazmat.bindings._rust.openssl.ec.ECPrivateKey object at
0x7fba140bcb10>
load_certificate = <function load_certificate at 0x7fba15d82ca0>
self = <trustme.LeafCert object at 0x7fba159274d0>
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _
self = <OpenSSL.SSL.Context object at 0x7fba15cbe660>, cert =
<OpenSSL.crypto.X509 object at 0x7fba15cbdbe0>
def use_certificate(self, cert: X509 | x509.Certificate) -> None:
"""
Load a certificate from a X509 object
:param cert: The X509 object
:return: None
"""
# Mirrored at Connection.use_certificate
if not isinstance(cert, X509):
cert = X509.from_cryptography(cert)
else:
> warnings.warn(
(
"Passing pyOpenSSL X509 objects is deprecated. You "
"should use a cryptography.x509.Certificate instead."
),
DeprecationWarning,
stacklevel=2,
)
E DeprecationWarning: Passing pyOpenSSL X509 objects is deprecated.
You should use a cryptography.x509.Certificate instead.
cert = <OpenSSL.crypto.X509 object at 0x7fba15cbdbe0>
self = <OpenSSL.SSL.Context object at 0x7fba15cbe660>
/usr/lib/python3/dist-packages/OpenSSL/SSL.py:1140: DeprecationWarning
(This also shows up as warnings when building python-trustme, but they
don't cause failures in that context.)
The attached patch is cherry-picked from upstream and fixes this. If
you're still busy, would you like me to NMU again?
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru python-trustme-1.2.0/debian/changelog
python-trustme-1.2.0/debian/changelog
--- python-trustme-1.2.0/debian/changelog 2024-11-19 20:22:45.000000000
+0000
+++ python-trustme-1.2.0/debian/changelog 2024-12-10 19:31:04.000000000
+0000
@@ -1,3 +1,10 @@
+python-trustme (1.2.0-0.2) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Use cryptography to load the pyOpenSSL certificates.
+
+ -- Colin Watson <cjwat...@debian.org> Tue, 10 Dec 2024 19:31:04 +0000
+
python-trustme (1.2.0-0.1) unstable; urgency=medium
* Non-maintainer upload with maintainer's permission.
diff -Nru python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
--- python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
1970-01-01 01:00:00.000000000 +0100
+++ python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
2024-12-10 19:31:04.000000000 +0000
@@ -0,0 +1,40 @@
+Description: Use cryptography to load the pyOpenSSL certificates
+Origin: backport, https://github.com/python-trio/trustme/pull/670
+Author: EXPLOSION <g...@helvetica.moe>
+Last-Update: 2024-12-10
+
+Index: b/src/trustme/__init__.py
+===================================================================
+--- a/src/trustme/__init__.py
++++ b/src/trustme/__init__.py
+@@ -8,7 +8,7 @@
+ from contextlib import contextmanager
+ from enum import Enum
+ from tempfile import NamedTemporaryFile
+-from typing import TYPE_CHECKING, Generator, List, Optional, Union
++from typing import TYPE_CHECKING, Generator, List, Optional, Union, cast
+
+ import idna
+ from cryptography import x509
+@@ -545,15 +545,13 @@
+ with self.private_key_and_cert_chain_pem.tempfile() as path:
+ ctx.load_cert_chain(path)
+ elif _smells_like_pyopenssl(ctx):
+- from OpenSSL.crypto import FILETYPE_PEM, load_certificate,
load_privatekey
+-
+- key = load_privatekey(FILETYPE_PEM, self.private_key_pem.bytes())
+- ctx.use_privatekey(key)
+- cert = load_certificate(FILETYPE_PEM,
self.cert_chain_pems[0].bytes())
+- ctx.use_certificate(cert)
++ key = load_pem_private_key(self.private_key_pem.bytes(), None)
++ ctx.use_privatekey(key) # type: ignore[arg-type]
++ cert =
x509.load_pem_x509_certificate(self.cert_chain_pems[0].bytes())
++ ctx.use_certificate(cert) # type: ignore[arg-type]
+ for pem in self.cert_chain_pems[1:]:
+- cert = load_certificate(FILETYPE_PEM, pem.bytes())
+- ctx.add_extra_chain_cert(cert)
++ cert = x509.load_pem_x509_certificate(pem.bytes())
++ ctx.add_extra_chain_cert(cert) # type: ignore[arg-type]
+ else:
+ raise TypeError(
+ "unrecognized context type
{!r}".format(ctx.__class__.__name__)
diff -Nru python-trustme-1.2.0/debian/patches/series
python-trustme-1.2.0/debian/patches/series
--- python-trustme-1.2.0/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ python-trustme-1.2.0/debian/patches/series 2024-12-10 19:28:33.000000000
+0000
@@ -0,0 +1 @@
+pyOpenSSL-cryptography.patch
--- End Message ---
--- Begin Message ---
Source: python-trustme
Source-Version: 1.2.0-1
Done: Robie Basak <ro...@justgohome.co.uk>
We believe that the bug you reported is fixed in the latest version of
python-trustme, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1089...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robie Basak <ro...@justgohome.co.uk> (supplier of updated python-trustme
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Dec 2024 09:20:35 +0000
Source: python-trustme
Built-For-Profiles: noudeb
Architecture: source
Version: 1.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Robie Basak <ro...@justgohome.co.uk>
Changed-By: Robie Basak <ro...@justgohome.co.uk>
Closes: 1089664
Changes:
python-trustme (1.2.0-1) unstable; urgency=medium
.
[ Colin Watson ]
* Use cryptography to load the pyOpenSSL certificates (Closes: #1089664).
Checksums-Sha1:
82cdce8009da4fcdc5f6f6414ecdfc2707653a4a 1940 python-trustme_1.2.0-1.dsc
b5e0b253b2dd21919abcd4c487ca05422d8d1eac 3088
python-trustme_1.2.0-1.debian.tar.xz
1dc9c7dd8744d74fb088c43dfb3e20398333ad39 6232
python-trustme_1.2.0-1_source.buildinfo
Checksums-Sha256:
c3fbc7dbe0ea4d84f2df1fa649b262661d01af578151a768dd8c90656135e3ff 1940
python-trustme_1.2.0-1.dsc
e3b90c7bf23cc0e3768defb60c6d4a3e24e4016e865961b124d795f2d20e7d6a 3088
python-trustme_1.2.0-1.debian.tar.xz
3e24954362be3c829882a94d7904e03075dfad0db58ffdf4719752abd8dd0df2 6232
python-trustme_1.2.0-1_source.buildinfo
Files:
9f2cc07b774354913c9324b1ea8e6885 1940 python optional
python-trustme_1.2.0-1.dsc
7f564aeeaa7f89c0712ffdfbe4571cc9 3088 python optional
python-trustme_1.2.0-1.debian.tar.xz
07bde041dee350fb5116142d6934636a 6232 python optional
python-trustme_1.2.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJnWVuUAAoJEOVkucJ1vdUuk6EP/2R4WBbNDwIwO9dzmXyJWuEa
u71HGh+c4efSaC3bLaWlyb+QiZn87ZLqqmAtM6CtDee1Hyg4QtfngMmZAmO9YdP/
wQdI9rp7cRYwXOrGo0oGag8zmHnn8fE7c3v8WE7WxoEBkGddc4DNcUsMJDbx9m0x
oV+O8SBzddqU7a7Wpun3XF6sgGOTAbi0X72nBZBbzaK6PD2KDL7bG8NwLBKLOhC7
lwZAeJ+2VwyLpIwJm5X/dVhXTawCrbicU+4yZQN55P8xkaZEsFKwJPsJHsITr8SH
2/UIideqjn0vVa6rD01xbfww/qMCqvPxKLEV2fBeYRnYMIldQKWrhtW/qqFyQ3JU
iyKitlYltmga520vOIvRyzbmKjvMgy/yx54x8QOsUTY1SIwlzkjzXnaGS28PHj2W
sa7f9WNSBCJgOduKCq9kni/nlpnSX4oP1JI9mATTTnUfNpIdSse45BB0yJxwLpqQ
bEp53vMJIXnqvKpgG7xp0bqyRZcb605Vwjqu4PM6KYAQZ1JoWQm7bKqvr6I3FFvc
8dNm7BJpt02r/w4/pAwmjKAXDteBSKDYk8Y/kmemyxqXdCHRHSOHbD/UMU0M72Wh
B2p1h1Oge9GMS7xsAf66X4Gf+ZqeleeCBa+DU0fOrNYidozgHpipsUz35tsGngKy
6AdJ2vNPrmkl8agmNfeI
=txba
-----END PGP SIGNATURE-----
pgpqlfGntzXJL.pgp
Description: PGP signature
--- End Message ---
