Bug 247823 - security/py-ecdsa: Update to 0.13.3 (+MFH) -> Update to 0.15
Summary: security/py-ecdsa: Update to 0.13.3 (+MFH) -> Update to 0.15
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Kubilay Kocak
URL:
Keywords: needs-patch, needs-qa
Depends on:
Blocks: 247825
  Show dependency treegraph
 
Reported: 2020-07-07 12:59 UTC by Emanuel Haupt
Modified: 2020-07-24 13:30 UTC (History)
2 users (show)

See Also:
koobs: maintainer-feedback+
koobs: merge-quarterly?


Attachments
Patch to update security/py-ecdsa to 0.15 (904 bytes, text/plain)
2020-07-07 12:59 UTC, Emanuel Haupt
no flags Details
make test (866 bytes, text/plain)
2020-07-07 13:22 UTC, Emanuel Haupt
no flags Details
portlint -A (187 bytes, text/plain)
2020-07-07 13:22 UTC, Emanuel Haupt
no flags Details
poudriere testport (24.26 KB, text/plain)
2020-07-07 13:23 UTC, Emanuel Haupt
no flags Details
poudriere testport (25.70 KB, text/plain)
2020-07-07 13:24 UTC, Emanuel Haupt
no flags Details
poudriere testport logs for all dependencies (71.15 KB, application/gzip)
2020-07-07 14:06 UTC, Emanuel Haupt
no flags Details
updated patch (1.58 KB, patch)
2020-07-22 12:51 UTC, Steve Wills
koobs: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Emanuel Haupt freebsd_committer 2020-07-07 12:59:44 UTC
Created attachment 216287 [details]
Patch to update security/py-ecdsa to 0.15

Update security/py-ecdsa to 0.15
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-07 13:04:01 UTC
Thank you Emanuel

Does this pass QA (portlint, poudriere, make test) ?

I note in the changelog at least the following:

  expected minimum version of `six` module (1.9.0) is now specified explicitly
  in `setup.py` and tested against.

^Triage: [tags] in issue Titles are deprecated
Comment 2 Emanuel Haupt freebsd_committer 2020-07-07 13:19:10 UTC
> Does this pass QA (portlint, poudriere, make test) ?

Yes.

> I note in the changelog at least the following:
> 
>   expected minimum version of `six` module (1.9.0) is now specified explicitly
>   in `setup.py` and tested against.

Good catch. Can you just update it? My interest in this port is limited to the fact that it's a dependency for one of my ports.

> ^Triage: [tags] in issue Titles are deprecated

Noted, thanks.
Comment 3 Emanuel Haupt freebsd_committer 2020-07-07 13:22:24 UTC
Created attachment 216289 [details]
make test
Comment 4 Emanuel Haupt freebsd_committer 2020-07-07 13:22:41 UTC
Created attachment 216290 [details]
portlint -A
Comment 5 Emanuel Haupt freebsd_committer 2020-07-07 13:23:21 UTC
Created attachment 216291 [details]
poudriere testport
Comment 6 Emanuel Haupt freebsd_committer 2020-07-07 13:24:29 UTC
Created attachment 216292 [details]
poudriere testport
Comment 7 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-07 13:32:53 UTC
(In reply to Emanuel Haupt from comment #2)

I can, i was just asking as i was hoping i could just assign/approve you to commit :) I'll need a few more days to run through this with QA (particularly regarding consumers and API compatibility)
Comment 8 Emanuel Haupt freebsd_committer 2020-07-07 14:06:06 UTC
Created attachment 216296 [details]
poudriere testport logs for all dependencies

Take your time. I haven't tested every dependency (functionally) but they all build fine with the new version (see attachment).
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-08 13:27:35 UTC
(In reply to Emanuel Haupt from comment #8)

Thanks for that, very helpful
Comment 10 Steve Wills freebsd_committer 2020-07-22 12:51:07 UTC
Created attachment 216662 [details]
updated patch

Here's a version which adds an optional dependency on gmp or gmp2 for faster arithmetic (as the README suggests) and enables that by default. The tests aren't included in the pypi sdist, but I fetched the tarball of this version from github and ran them and they all passed, in all OPTION scenarios. All the ports that use this build tested fine.

Running tests for all consumers and verifying API compatibility seems to be setting too high of a bar of testing, IMHO.
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-23 02:28:28 UTC
(In reply to Steve Wills from comment #10)

Thanks for the update.

I just noticed the following for the 0.13.3 update:

* Release 0.13.3 (07 Oct 2019)

Fix CVE-2019-14853 - possible DoS caused by malformed signature decoding and
signature malleability.


This means that we'll want to MFH this update, but given the API changes, we'll probably want to:

- Update to 0.13.3 and MFH
- Update 0.15 and not MFH

Other wise, the QA requirements (testing dependents against the ABI changes), is going be relatively substantial, in order to verify the APi changes dont break consumers (particularly in quarterly)
Comment 12 Steve Wills freebsd_committer 2020-07-23 23:58:10 UTC
(In reply to Kubilay Kocak from comment #11)
Are you going to do that or should I submit something? I'd like to get this done.
Comment 13 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-24 02:03:32 UTC
(In reply to Steve Wills from comment #12)

Just wanted to inform here what needed to be done. If you have available cycles and your changes otherwise pass QA (i believe they have?), feel free to self-assign and commit (splitting up the commit) and merge
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-24 02:07:02 UTC
Comment on attachment 216662 [details]
updated patch

test target shouldn't need tox as a TEST_DEPENDS , should run whatever tox runs (usually pytest) instead.

Otherwise approved as multiple commits:

 1. Update to 0.13.3 + vuxml entry + MFH
 2. Update to 0.15 MFH: No (feature release)
Comment 15 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-24 02:07:51 UTC
Pending vuxml patch for < 0.13.3
Comment 16 Steve Wills freebsd_committer 2020-07-24 13:30:15 UTC
(In reply to Kubilay Kocak from comment #15)
Do you have plans to take care of the patch for 0.13.3?