Bug 254853 - security/py-cryptography: Update to 37.0.2
Summary: security/py-cryptography: Update to 37.0.2
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Po-Chuan Hsieh
Keywords: needs-qa
Depends on: 266670 254851
Blocks: 256885 266680
  Show dependency treegraph
Reported: 2021-04-07 12:10 UTC by Jeroen Pulles
Modified: 2022-09-29 22:09 UTC (History)
13 users (show)

See Also:
bugzilla: maintainer-feedback? (koobs)
koobs: maintainer-feedback? (dbaio)

patch for 3.4.7 (8.25 KB, patch)
2021-04-07 12:10 UTC, Jeroen Pulles
no flags Details | Diff
Don't build rust modules (3.4.7 specific) (4.32 KB, patch)
2021-06-07 11:17 UTC, Jeroen Pulles
no flags Details | Diff
git diff for security/py-cryptography (14.73 KB, patch)
2022-05-15 16:02 UTC, Bernard Spil
brnrd: maintainer-approval? (sunpoet)
Details | Diff
update to 38.0.1 with rust build (22.56 KB, patch)
2022-09-28 13:19 UTC, Ivan Rozhuk
rozhuk.im: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Pulles 2021-04-07 12:10:33 UTC
Created attachment 223896 [details]
patch for 3.4.7

py-cryptography is now using a bit of rust in an extension; 

I've filed a bug for a new port for setuptools-rust, #254851

We've made this to work by USES=cargo, but then making sure that setuptools-rust does the compilation, with the CARGO_BUILD CARGO_INSTALL CARGO_TEST =no
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-04 02:02:55 UTC
Thanks Jeroen, does this depend on bug 254851? If so please add it to the Depends On field, thanks!
Comment 2 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-04 12:41:44 UTC
I have it from cryptography upstream that the 3.4 branch is safe to use without rust (and doesnt require it), as long as we set the environment variable to not use it.

Looks like the patch attached here is the reverse of what was intended?

@Jeroen Are you able to do a plain 3.4.x update here (adding the right env var not to use rust, see setup.py), and then create a separate issue for the future 35.0 branch coming soon that includes the changes you included here? (using rust).
Comment 3 Jeroen Pulles 2021-06-07 11:17:51 UTC
Created attachment 225623 [details]
Don't build rust modules (3.4.7 specific)

You mean setting `CRYPTOGRAPHY_DONT_BUILD_RUST=`. The setup.py still imports setuptools_rust. Under the assumption that it is completely safe to also remove the setuptools_rust import, I've patched setup.py, and not set the environment variable. 

I don't see anything else using CRYPTOGRAPHY_DONT_BUILD_RUST.

The environment variable is documented in https://cryptography.io/en/3.4.7/faq.html. It took me a while to understand that that instruction is gone with the master version of docs.
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-08 00:01:42 UTC
(In reply to Jeroen Pulles from comment #3)

Requesting clarity from upstream on the nature of the import error and the extent to which its related to, or should be conditional on the env var not being present
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-08 00:52:56 UTC
Upstream advises that:

 - patching out the error and passing the env var, if the tests pass, is OK
 - that they'll accept an upstream for conditionalizing the import/error block on the non presence of the env var
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-11 22:23:28 UTC
Minor changes to commit:

 - Use specific *_DEPENDS lines (with <version-specs>) over shared macros 
 - Add comment to patch "setuptools_rust try/except should be conditional on environment variable"
Comment 7 Pavel Timofeev 2022-01-17 19:49:19 UTC
Looking forward for this
Comment 8 Rene Ladan freebsd_committer 2022-03-07 19:54:58 UTC
Maintainer reset.
Comment 9 Jeroen Pulles 2022-03-10 16:58:45 UTC
The python.mk do-install step should register all files with the `--record` argument. On my installs this fails to register the cryptography/hazmat/bindings/_rust.abi3.so file that is in the build and stage directories. The _rust.abi3.so file is not in the .PLIST.pymodtmp file, and thus isn't installed. 

If I set `PYDISTUTILS_SETUP=${PYSETUP}` in the py-cryptography makefile, I get the same result: no _rust.abi3.so file. 

However, if I manually run `python3.9 setup.py install --record my-file.log` in the work directory, then _rust.abi3.so is found in "my-file.log". 

I don't understand where this goes wrong. 

How can I get this file included in the (auto-generated) plist?
Comment 10 mark burdett 2022-03-23 10:44:45 UTC
Hopefully this port can be updated soon, as py-openssl has been updated and now requires py-cryptography >= 35.0
Comment 11 mark burdett 2022-03-24 20:29:06 UTC
(Never mind that, py-openssl has been downgraded so things are no longer broken, see bug #262750)
Comment 12 Bernard Spil freebsd_committer 2022-04-30 10:11:09 UTC
From security/py-openssl:

> # We need to keep old py-cryptography and py-penssl for 11.x release
> # due to outdated OpenSSL version in base

No longer seems relevant after 2021-09-31 EoL of 11.x

What does it take to land this in ports?
Comment 13 Bernard Spil freebsd_committer 2022-05-15 16:02:46 UTC
Created attachment 233937 [details]
git diff for security/py-cryptography

security/py-cryptography: Update to 37.0.2

 * Remove Rust dependency
 * Supports LibreSSL 3.2 - 3.5

PR:   254853
Submitted by: Jeroen Pulles
Comment 14 Andris Raugulis 2022-09-26 20:11:49 UTC
Any movement on this?
Comment 15 Ivan Rozhuk 2022-09-28 13:19:40 UTC
Created attachment 236907 [details]
update to 38.0.1 with rust build

works for me
Comment 16 Ivan Rozhuk 2022-09-28 13:22:28 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266670 required to build with fresh libressl.