[BUG] macOS Ventura requires at last cryptography 3.4.6

[jpmckinney]

Description

macOS Ventura cannot install cryptography < 3.4.6. Salt locks to 3.3.2.

Steps to Reproduce the behavior

$ pip install 'cryptography<3.4.6'
-- snip --
      build/temp.macosx-12.2-arm64-cpython-310/_openssl.c:575:10: fatal error: 'openssl/opensslv.h' file not found
      #include <openssl/opensslv.h>
               ^~~~~~~~~~~~~~~~~~~~
      1 error generated.
-- snip --

See also https://cryptography.io/en/latest/faq/#installing-cryptography-produces-a-fatal-error-openssl-opensslv-h-file-not-found-error (pip is the latest version though)

Expected behavior

pip install salt-ssh succeeds.

Versions Report

Can't run salt --versions-report as can't install it!

Using Python 3.10.2 and pip 22.3.1

          dist: darwin 22.1.0 
        locale: UTF-8
       machine: x86_64
       release: 22.1.0
        system: Darwin
       version: 13.0.1 x86_64

[OrangeDog]

https://cryptography.io/en/latest/installation/#building-cryptography-on-macos

[jpmckinney]

I already have Xcode command line tools, and rust and openssl@3 from Homebrew. The build doesn't work because cryptography==3.3.2 is ancient. The dependency needs to be upgraded. 3.4.6 provides a wheel that works.

Edit: To clarify, I can install the latest version of cryptography from source with a command like env CPPFLAGS=-I/opt/homebrew/opt/openssl@3/include LDFLAGS=-L/opt/homebrew/opt/openssl@3/lib pip install --no-binary :all: cryptography. Installing the wheel works with just pip install cryptography. The only option to install 3.3.2 on macOS Ventura on an M1 Mac is from source (no wheel available), but attempting the first command yields errors like error: implicit declaration of function 'FIPS_mode_set' is invalid in C99.

Edit 2: I can install 3.3.2 with env CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include -Wno-error=implicit-function-declaration" LDFLAGS=-L/opt/homebrew/opt/openssl@3/lib pip install --no-binary :all: cryptography==3.3.2, but this is getting silly.

[OrangeDog]

Feb 7, 2021 is hardly "ancient". It should be perfectly possible to build. Your error above is because you didn't run the correct command, as given in that guide.

[jpmckinney]

🤷‍♂️ The guide doesn't mention -Wno-error=implicit-function-declaration, without which the build errors (guide works fine on more recent versions of cryptography). Anyhow, it seems like a better user experience to use a version of cryptography for which a wheel is available, rather than requiring Mac users to compile from source, by reading a guide that isn't part of Salt's documentation.

[jpmckinney]

3.3.2 also has CVE-2023-0286 (critical) (though I guess it only affects wheels) and CVE-2023-23931 (moderate). These two require upgrading to 39.0.1.