-
-
Notifications
You must be signed in to change notification settings - Fork 14.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python37Packages.cryptography: 2.5 -> 2.6.1 #56690
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Looking at changelog for 2.6.1, this also helps use OpenSSL 1.1.x goodness once we switch over!
Is this good for merge into staging? |
I have not yet run a job on Hydra as it's already overloaded with the release branch and such. I intend to run a job a week or so after the release, although actually I think everything will be fine. |
Ah I see, you think it should be fine. But if there's any problems a hydra job would reveal it would probably be a good idea 👍 Thanks. |
}; | ||
|
||
outputs = [ "out" "dev" ]; | ||
|
||
buildInputs = [ openssl cryptography_vectors ] | ||
buildInputs = [ openssl ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should openssl
be pointed towards openssl_1_1
? At least for sourcehut
to work support for ed25519
is needed which isn't provided by the default openssl
.
File "/nix/store/jszvzjmq5nx90dlw8d80hcyfwzzqzj7p-python3.7-cryptography-2.6.1/lib/python3.7/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py", line 63, in from_private_bytes
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.
On Sat, 20 Apr 2019 14:43:16 -0700, Edmund Wu ***@***.***> wrote:
Should `openssl` be pointed towards `openssl_1_1`? At least for `sourcehut` to work support for `ed25519` is needed which isn't provided by the default `openssl`.
Sounds good to me-- while we're at it,
when can we make this the default?
… ```
File "/nix/store/jszvzjmq5nx90dlw8d80hcyfwzzqzj7p-python3.7-cryptography-2.6.1/lib/python3.7/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py", line 63, in from_private_bytes
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.
```
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#56690 (review) part: text/html
|
bdbfd56
to
90509b8
Compare
@eadwu @dtzWill I would prefer to change the OpenSSL version in another PR, optimally in #22357, to avoid the risk of breaking too many things at once and test it more extensively. This PR is open for way too long now and should be pretty safe to merge (I'm not aware of any problems due to past updates of |
This should make the management easier. The package cryptography_vectors contains the test vectors for cryptography and should therefore always have the same version. By linking the version of cryptography_vectors to cryptography, this simply cannot be forgotten.
Changelog: https://cryptography.io/en/latest/changelog/#v2-6-1 Important changes: - BACKWARDS INCOMPATIBLE: Removed cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature and cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature, which had been deprecated for nearly 4 years. Use encode_dss_signature() and decode_dss_signature() instead. - BACKWARDS INCOMPATIBLE: Removed cryptography.x509.Certificate.serial, which had been deprecated for nearly 3 years. Use serial_number instead.
90509b8
to
186fc20
Compare
On Mon, 22 Apr 2019 03:23:42 -0700, Michael Weiss ***@***.***> wrote:
@eadwu @dtzWill I would prefer to change the OpenSSL version in another PR, optimally in #22357, to avoid the risk of breaking too many things at once and test it more extensively.
Oh, absolutely! I was just ... chatting about how we might want to do it
in general :).
Agreed that's a fight for a different PR.
…
This PR is open for way too long now and should be pretty safe to merge (I'm not aware of any problems due to past updates of `cryptography` - apart from a few warning messages).
I'll run a few rebuilds and merge this if there aren't any problems (though I am not sure how useful that actually is as most failures would probably occur at runtime - apart from failures due to pinned versions, but that wasn't a problem in the past and shouldn't have changed).
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#56690 (comment) part: text/html
|
Ok, great - yeah it's really time to switch to OpenSSL 1.1 in general... I ran most rebuilds and didn't notice any failures that are related to this PR and this update should be fine :) |
❇️ 🎆 |
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)