Bug 247823

Comment 1 Kubilay Kocak 2020-07-07 13:04:01 UTC

Thank you Emanuel

Does this pass QA (portlint, poudriere, make test) ?

I note in the changelog at least the following:

  expected minimum version of `six` module (1.9.0) is now specified explicitly
  in `setup.py` and tested against.

^Triage: [tags] in issue Titles are deprecated

Comment 2 Emanuel Haupt 2020-07-07 13:19:10 UTC

> Does this pass QA (portlint, poudriere, make test) ?

Yes.

> I note in the changelog at least the following:
> 
>   expected minimum version of `six` module (1.9.0) is now specified explicitly
>   in `setup.py` and tested against.

Good catch. Can you just update it? My interest in this port is limited to the fact that it's a dependency for one of my ports.

> ^Triage: [tags] in issue Titles are deprecated

Noted, thanks.

Comment 3 Emanuel Haupt 2020-07-07 13:22:24 UTC

Created attachment 216289 [details]
make test

Comment 4 Emanuel Haupt 2020-07-07 13:22:41 UTC

Created attachment 216290 [details]
portlint -A

Comment 5 Emanuel Haupt 2020-07-07 13:23:21 UTC

Created attachment 216291 [details]
poudriere testport

Comment 6 Emanuel Haupt 2020-07-07 13:24:29 UTC

Created attachment 216292 [details]
poudriere testport

Comment 7 Kubilay Kocak 2020-07-07 13:32:53 UTC

(In reply to Emanuel Haupt from comment #2)

I can, i was just asking as i was hoping i could just assign/approve you to commit :) I'll need a few more days to run through this with QA (particularly regarding consumers and API compatibility)

Comment 8 Emanuel Haupt 2020-07-07 14:06:06 UTC

Created attachment 216296 [details]
poudriere testport logs for all dependencies

Take your time. I haven't tested every dependency (functionally) but they all build fine with the new version (see attachment).

Comment 9 Kubilay Kocak 2020-07-08 13:27:35 UTC

(In reply to Emanuel Haupt from comment #8)

Thanks for that, very helpful

Comment 10 Steve Wills 2020-07-22 12:51:07 UTC

Created attachment 216662 [details]
updated patch

Here's a version which adds an optional dependency on gmp or gmp2 for faster arithmetic (as the README suggests) and enables that by default. The tests aren't included in the pypi sdist, but I fetched the tarball of this version from github and ran them and they all passed, in all OPTION scenarios. All the ports that use this build tested fine.

Running tests for all consumers and verifying API compatibility seems to be setting too high of a bar of testing, IMHO.

Comment 11 Kubilay Kocak 2020-07-23 02:28:28 UTC

(In reply to Steve Wills from comment #10)

Thanks for the update.

I just noticed the following for the 0.13.3 update:

* Release 0.13.3 (07 Oct 2019)

Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding and
signature malleability.


This means that we'll want to MFH this update, but given the API changes, we'll probably want to:

- Update to 0.13.3 and MFH
- Update 0.15 and not MFH

Other wise, the QA requirements (testing dependents against the ABI changes), is going be relatively substantial, in order to verify the APi changes dont break consumers (particularly in quarterly)

Comment 12 Steve Wills 2020-07-23 23:58:10 UTC

(In reply to Kubilay Kocak from comment #11)
Are you going to do that or should I submit something? I'd like to get this done.

Comment 13 Kubilay Kocak 2020-07-24 02:03:32 UTC

(In reply to Steve Wills from comment #12)

Just wanted to inform here what needed to be done. If you have available cycles and your changes otherwise pass QA (i believe they have?), feel free to self-assign and commit (splitting up the commit) and merge

Comment 14 Kubilay Kocak 2020-07-24 02:07:02 UTC

Comment on attachment 216662 [details]
updated patch

test target shouldn't need tox as a TEST_DEPENDS , should run whatever tox runs (usually pytest) instead.

Otherwise approved as multiple commits:

 1. Update to 0.13.3 + vuxml entry + MFH
 2. Update to 0.15 MFH: No (feature release)

Comment 15 Kubilay Kocak 2020-07-24 02:07:51 UTC

Pending vuxml patch for < 0.13.3

Comment 16 Steve Wills 2020-07-24 13:30:15 UTC

(In reply to Kubilay Kocak from comment #15)
Do you have plans to take care of the patch for 0.13.3?

Comment 17 commit-hook 2020-08-16 13:28:11 UTC

A commit references this bug:

Author: swills
Date: Sun Aug 16 13:27:30 UTC 2020
New revision: 545114
URL: https://svnweb.freebsd.org/changeset/ports/545114

Log:
  security/py-ecdsa: update to 0.13.3

  PR:		247823
  Reported by:	ehaupt
  Approved by:	koobs (maintainer)
  Security:	a23ebf36-e8b6-4665-b0f3-4c977f9a145c

Changes:
  head/security/py-ecdsa/Makefile
  head/security/py-ecdsa/distinfo

Comment 18 commit-hook 2020-08-16 13:29:13 UTC

A commit references this bug:

Author: swills
Date: Sun Aug 16 13:28:46 UTC 2020
New revision: 545115
URL: https://svnweb.freebsd.org/changeset/ports/545115

Log:
  MFH: r545114

  security/py-ecdsa: update to 0.13.3

  PR:		247823
  Reported by:	ehaupt
  Approved by:	koobs (maintainer)
  Security:	a23ebf36-e8b6-4665-b0f3-4c977f9a145c

  Approved by:	ports-secteam (implicit)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/security/py-ecdsa/Makefile
  branches/2020Q3/security/py-ecdsa/distinfo

Comment 19 commit-hook 2020-08-16 13:59:19 UTC

A commit references this bug:

Author: swills
Date: Sun Aug 16 13:58:40 UTC 2020
New revision: 545117
URL: https://svnweb.freebsd.org/changeset/ports/545117

Log:
  security/py-ecdsa: update to 0.15

  While here, add optional dependency on gmp or gmp2 for faster arithmetic

  PR:		247823
  Reported by:	ehaupt
  Approved by:	koobs (maintainer)

Changes:
  head/security/py-ecdsa/Makefile
  head/security/py-ecdsa/distinfo

Comment 20 Steve Wills 2020-08-16 13:59:52 UTC

Committed, thanks!

Comment 21 Kubilay Kocak 2020-08-17 03:43:38 UTC

^Triage: 

 - Assign to committer that resolved
 - Track MFH
 - Update keywords