Created attachment 216287 [details]
Patch to update security/py-ecdsa to 0.15
Update security/py-ecdsa to 0.15
Thank you Emanuel
Does this pass QA (portlint, poudriere, make test) ?
I note in the changelog at least the following:
expected minimum version of `six` module (1.9.0) is now specified explicitly
in `setup.py` and tested against.
^Triage: [tags] in issue Titles are deprecated
> Does this pass QA (portlint, poudriere, make test) ?
> I note in the changelog at least the following:
> expected minimum version of `six` module (1.9.0) is now specified explicitly
> in `setup.py` and tested against.
Good catch. Can you just update it? My interest in this port is limited to the fact that it's a dependency for one of my ports.
> ^Triage: [tags] in issue Titles are deprecated
Created attachment 216289 [details]
Created attachment 216290 [details]
Created attachment 216291 [details]
Created attachment 216292 [details]
(In reply to Emanuel Haupt from comment #2)
I can, i was just asking as i was hoping i could just assign/approve you to commit :) I'll need a few more days to run through this with QA (particularly regarding consumers and API compatibility)
Created attachment 216296 [details]
poudriere testport logs for all dependencies
Take your time. I haven't tested every dependency (functionally) but they all build fine with the new version (see attachment).
(In reply to Emanuel Haupt from comment #8)
Thanks for that, very helpful
Created attachment 216662 [details]
Here's a version which adds an optional dependency on gmp or gmp2 for faster arithmetic (as the README suggests) and enables that by default. The tests aren't included in the pypi sdist, but I fetched the tarball of this version from github and ran them and they all passed, in all OPTION scenarios. All the ports that use this build tested fine.
Running tests for all consumers and verifying API compatibility seems to be setting too high of a bar of testing, IMHO.
(In reply to Steve Wills from comment #10)
Thanks for the update.
I just noticed the following for the 0.13.3 update:
* Release 0.13.3 (07 Oct 2019)
Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding and
This means that we'll want to MFH this update, but given the API changes, we'll probably want to:
- Update to 0.13.3 and MFH
- Update 0.15 and not MFH
Other wise, the QA requirements (testing dependents against the ABI changes), is going be relatively substantial, in order to verify the APi changes dont break consumers (particularly in quarterly)
(In reply to Kubilay Kocak from comment #11)
Are you going to do that or should I submit something? I'd like to get this done.
(In reply to Steve Wills from comment #12)
Just wanted to inform here what needed to be done. If you have available cycles and your changes otherwise pass QA (i believe they have?), feel free to self-assign and commit (splitting up the commit) and merge
Comment on attachment 216662 [details]
test target shouldn't need tox as a TEST_DEPENDS , should run whatever tox runs (usually pytest) instead.
Otherwise approved as multiple commits:
1. Update to 0.13.3 + vuxml entry + MFH
2. Update to 0.15 MFH: No (feature release)
Pending vuxml patch for < 0.13.3
(In reply to Kubilay Kocak from comment #15)
Do you have plans to take care of the patch for 0.13.3?