Summary: | security/py-ecdsa: Update to 0.13.3 (+MFH) -> Update to 0.15 | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Emanuel Haupt <ehaupt> | ||||||||||||||||
Component: | Individual Port(s) | Assignee: | Steve Wills <swills> | ||||||||||||||||
Status: | Closed FIXED | ||||||||||||||||||
Severity: | Affects Many People | CC: | ports-secteam, swills | ||||||||||||||||
Priority: | Normal | Flags: | koobs:
maintainer-feedback+
koobs: merge-quarterly+ |
||||||||||||||||
Version: | Latest | ||||||||||||||||||
Hardware: | Any | ||||||||||||||||||
OS: | Any | ||||||||||||||||||
Bug Depends on: | |||||||||||||||||||
Bug Blocks: | 247825 | ||||||||||||||||||
Attachments: |
|
Thank you Emanuel Does this pass QA (portlint, poudriere, make test) ? I note in the changelog at least the following: expected minimum version of `six` module (1.9.0) is now specified explicitly in `setup.py` and tested against. ^Triage: [tags] in issue Titles are deprecated > Does this pass QA (portlint, poudriere, make test) ? Yes. > I note in the changelog at least the following: > > expected minimum version of `six` module (1.9.0) is now specified explicitly > in `setup.py` and tested against. Good catch. Can you just update it? My interest in this port is limited to the fact that it's a dependency for one of my ports. > ^Triage: [tags] in issue Titles are deprecated Noted, thanks. Created attachment 216289 [details]
make test
Created attachment 216290 [details]
portlint -A
Created attachment 216291 [details]
poudriere testport
Created attachment 216292 [details]
poudriere testport
(In reply to Emanuel Haupt from comment #2) I can, i was just asking as i was hoping i could just assign/approve you to commit :) I'll need a few more days to run through this with QA (particularly regarding consumers and API compatibility) Created attachment 216296 [details]
poudriere testport logs for all dependencies
Take your time. I haven't tested every dependency (functionally) but they all build fine with the new version (see attachment).
(In reply to Emanuel Haupt from comment #8) Thanks for that, very helpful Created attachment 216662 [details]
updated patch
Here's a version which adds an optional dependency on gmp or gmp2 for faster arithmetic (as the README suggests) and enables that by default. The tests aren't included in the pypi sdist, but I fetched the tarball of this version from github and ran them and they all passed, in all OPTION scenarios. All the ports that use this build tested fine.
Running tests for all consumers and verifying API compatibility seems to be setting too high of a bar of testing, IMHO.
(In reply to Steve Wills from comment #10) Thanks for the update. I just noticed the following for the 0.13.3 update: * Release 0.13.3 (07 Oct 2019) Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding and signature malleability. This means that we'll want to MFH this update, but given the API changes, we'll probably want to: - Update to 0.13.3 and MFH - Update 0.15 and not MFH Other wise, the QA requirements (testing dependents against the ABI changes), is going be relatively substantial, in order to verify the APi changes dont break consumers (particularly in quarterly) (In reply to Kubilay Kocak from comment #11) Are you going to do that or should I submit something? I'd like to get this done. (In reply to Steve Wills from comment #12) Just wanted to inform here what needed to be done. If you have available cycles and your changes otherwise pass QA (i believe they have?), feel free to self-assign and commit (splitting up the commit) and merge Comment on attachment 216662 [details]
updated patch
test target shouldn't need tox as a TEST_DEPENDS , should run whatever tox runs (usually pytest) instead.
Otherwise approved as multiple commits:
1. Update to 0.13.3 + vuxml entry + MFH
2. Update to 0.15 MFH: No (feature release)
Pending vuxml patch for < 0.13.3 (In reply to Kubilay Kocak from comment #15) Do you have plans to take care of the patch for 0.13.3? A commit references this bug: Author: swills Date: Sun Aug 16 13:27:30 UTC 2020 New revision: 545114 URL: https://svnweb.freebsd.org/changeset/ports/545114 Log: security/py-ecdsa: update to 0.13.3 PR: 247823 Reported by: ehaupt Approved by: koobs (maintainer) Security: a23ebf36-e8b6-4665-b0f3-4c977f9a145c Changes: head/security/py-ecdsa/Makefile head/security/py-ecdsa/distinfo A commit references this bug: Author: swills Date: Sun Aug 16 13:28:46 UTC 2020 New revision: 545115 URL: https://svnweb.freebsd.org/changeset/ports/545115 Log: MFH: r545114 security/py-ecdsa: update to 0.13.3 PR: 247823 Reported by: ehaupt Approved by: koobs (maintainer) Security: a23ebf36-e8b6-4665-b0f3-4c977f9a145c Approved by: ports-secteam (implicit) Changes: _U branches/2020Q3/ branches/2020Q3/security/py-ecdsa/Makefile branches/2020Q3/security/py-ecdsa/distinfo A commit references this bug: Author: swills Date: Sun Aug 16 13:58:40 UTC 2020 New revision: 545117 URL: https://svnweb.freebsd.org/changeset/ports/545117 Log: security/py-ecdsa: update to 0.15 While here, add optional dependency on gmp or gmp2 for faster arithmetic PR: 247823 Reported by: ehaupt Approved by: koobs (maintainer) Changes: head/security/py-ecdsa/Makefile head/security/py-ecdsa/distinfo Committed, thanks! ^Triage: - Assign to committer that resolved - Track MFH - Update keywords |
Created attachment 216287 [details] Patch to update security/py-ecdsa to 0.15 Update security/py-ecdsa to 0.15