Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python3Packages.cryptography: 3.2.1 -> 3.3.1 #106549

Merged
merged 1 commit into from Dec 14, 2020
Merged

python3Packages.cryptography: 3.2.1 -> 3.3.1 #106549

merged 1 commit into from Dec 14, 2020

Conversation

primeos
Copy link
Member

@primeos primeos commented Dec 10, 2020

Backward incompatible changes:

  • Support for Python 3.5 has been removed due to low usage and
    maintenance burden.
  • The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
    initialization vectors. This change is to conform with an upcoming
    OpenSSL release that will no longer support sizes outside this window.
  • When deserializing asymmetric keys we now raise ValueError rather than
    UnsupportedAlgorithm when an unsupported cipher is used. This change
    is to conform with an upcoming OpenSSL release that will no longer
    distinguish between error types.
  • We no longer allow loading of finite field Diffie-Hellman parameters
    of less than 512 bits in length. This change is to conform with an
    upcoming OpenSSL release that no longer supports smaller sizes. These
    keys were already wildly insecure and should not have been used in any
    application outside of testing.
Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@primeos
python3Packages.cryptography: 3.2.1 -> 3.3.1
44b7d77 
Backward incompatible changes:
- Support for Python 3.5 has been removed due to low usage and
  maintenance burden.
- The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
  initialization vectors. This change is to conform with an upcoming
  OpenSSL release that will no longer support sizes outside this window.
- When deserializing asymmetric keys we now raise ValueError rather than
  UnsupportedAlgorithm when an unsupported cipher is used. This change
  is to conform with an upcoming OpenSSL release that will no longer
  distinguish between error types.
- We no longer allow loading of finite field Diffie-Hellman parameters
  of less than 512 bits in length. This change is to conform with an
  upcoming OpenSSL release that no longer supports smaller sizes. These
  keys were already wildly insecure and should not have been used in any
  application outside of testing.
@prusnak
Copy link
Member

prusnak commented Dec 10, 2020

  • Support for Python 3.5 has been removed due to low usage and maintenance burden.

Maybe add disabled = pythonOlder "3.6"; in this case?

@primeos
Copy link
Member Author

primeos commented Dec 10, 2020

@prusnak good idea but for Nixpkgs it is fine since Python 3.5 was already removed in 49f4475 (and for Python 2 the cryptography version was locked to 2.9.2). But I could add it if there are any overlays, etc. that still use Python 3.5 and aren't based on a stable NixOS channel or if we prefer to always add disabled if the information is available.

@prusnak
Copy link
Member

prusnak commented Dec 10, 2020

@prusnak good idea but for Nixpkgs it is fine since Python 3.5 was already removed in

right, nevermind :)

@FRidh
Copy link
Member

FRidh commented Dec 11, 2020

@GrahamcOfBorg build python3.pkgs.pyopenssl

TredwellGit
TredwellGit approved these changes Dec 11, 2020
View reviewed changes
Copy link
Member

@TredwellGit TredwellGit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rebuilt my personal system with this.

@orivej orivej mentioned this pull request Dec 12, 2020
Merged
10 tasks
@primeos primeos merged commit fa28c15 into NixOS:staging Dec 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TredwellGit TredwellGit TredwellGit approved these changes

@FRidh FRidh Awaiting requested review from FRidh

@jonringer jonringer Awaiting requested review from jonringer

Assignees
No one assigned
Labels
6.topic: python 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@primeos @prusnak @FRidh @TredwellGit