x509.UnsupportedExtension is gone in cryptography >= 2.1 #1342
Conversation
|
Thanks @jlaine. I'm not sure we can just remove this without increasing the minimum version we require in |
|
Requiring the latest version of pyopenssl/cryptography seems pretty reasonable. (In fact the latest version of pyopenssl does require the latest version of cryptography.) If you want to alias it instead, I guess something like this would work: try:
from cryptography.x509 import UnsupportedExtension
except ImportError:
# Putting this in an except: will never catch anything, because no-one ever throws it
class UnsupportedExtension(Exception):
pass |
|
The try/except import is one option; does |
|
The current release of pyopenssl only supports cryptography >= 2.1.4, and the next one will support only >= 2.2.1, do we really want to support older versions? This would means explicitly testing against these older versions. |
I'm pretty sure we already do our best to test older versions. The short of it is that downstream packagers cherry-pick (in my experience) what things they actually update. Things like cryptography and pyopenssl make it hard for us to raise our minimum versions if their already packaged software works fine with an older version and would break by us updating our minimum requirement. We can try to push the entire world forward, but that will be very unpleasant for the maintainers of this project. |
|
I was looking through the travis config files and I don't see any entries for testing different pyopenssl / crypto versions, can someone point me to the right place maybe? |
|
It would also be really nice if this PR had a test that exercised that I asked about this on #cryptography, and @reaperhulk generously made this cert with a duplicate extension, so it should trigger that "A problem was encountered with the certificate..." block: https://gist.github.com/reaperhulk/70f2c4daba422a7f83965111cc2134e3 |
Codecov Report
@@ Coverage Diff @@
## master #1342 +/- ##
======================================
Coverage 100% 100%
======================================
Files 21 21
Lines 2014 2014
======================================
Hits 2014 2014
Continue to review full report at Codecov.
|
|
The osx tests seem pretty flaky, the failures don't seem to be related to these changes. |
|
@jlaine the OSX tests are passing but codecov shows this as a decrease in overall project coverage. Please address that. |
|
The codecov seems to be out of date, and based on the failing test run, the changes it is reporting are in unrelated files. The exception I changed was in a branch which was previously untested, and I added a test for it. The only part of the change which is likely to negatively affect coverage is the try/except I was asked to add around the import: as pointed out earlier, the build matrix always uses the latest version of cryptography, which does not exercise the "except". I'll push an empty commit to see if we can get a full run to get a clearer picture of what is going on. |
|
Ok I give up, the test suite on osx seems really random. |
|
@jlaine your empty commit seems to have passed all the CI. What is random at the moment? |
|
Hm, I guess I was wrong but I could have sworn both Python 3.6 and 3.7 had failed on osx. |
|
It did. I re-ran it. |
|
If there aren't any additional comments I'd say this can get merged today? @sigmavirus24 @haikuginger? |
|
Thanks @jlaine! 🎉 |
This fixes the issue reported in #1341