Created attachment 236916 [details] patch
Requires security/py-cryptography 38.0.0+ from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254853
(In reply to Ivan Rozhuk from comment #1) Whats the nature of the update dependency?
We're in a timeout situation here, and this blocks a twisted update, which caused a regressions when recently updated.
(In reply to Kubilay Kocak from comment #2) Upstream requires fresh py-cryptography: https://github.com/pyca/pyopenssl/blob/main/setup.py
In the interim, update this to 21.0.0 instead, where the cryptography requirement is 3.3.
Also, be careful with this upgrade, it seems new version of py-crytopgraphy requires support for rust to be built. If someone was to take the maintainership of security/py-openssl, please go ahead and do it.
The latest version is now 23.0.0.
(In reply to Sofian Brabez from comment #6) I submitted the py-cryptography upgrade diff -- waiting for feedback (need to do a poudriere run), but FWIW... the diff I posted works once py-cryptography is updated according to the tests bundled with py-openssl.
Created attachment 243568 [details] patch to 23.2.0 New patch for 23.2.0
devel/py-awscli (and I am sure others) will need this when bug 254853 lands.
Please use this one. Thanks. https://people.freebsd.org/~sunpoet/patch/security-py-openssl.txt
Hi sunpoet -- is there a reason why the patches you're posting (for this and bug 254853) aren't making it into the ports tree?
(In reply to Po-Chuan Hsieh from comment #11) Can we have this patch actually added to the ports tree since py-cryptography is now updated? This patch fixes a lot of things around cryptography in python.
Please commit this update to the ports, as py-openssl 21.0.0 does not work with py-cryptography 41.0.3. ie: 1:09pm> python3 Python 3.9.17 (main, Jun 16 2023, 03:51:47) [Clang 15.0.7 (https://github.com/llvm/llvm-project.git llvmorg-15.0.7-0-g8dfdc on freebsd13 Type "help", "copyright", "credits" or "license" for more information. >>> import OpenSSL Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import crypto, SSL File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 3279, in <module> _lib.OpenSSL_add_all_algorithms() AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms' >>>
Not so fast. Since we have both mainline and legacy cryptography ports, with a DEFAULT_VERSIONS knob to boot, this port actually has to provide both versions, gated on the set DEFAULT_VERSIONS. Different PyOpenSSL consume different parts of the cryptography API, to the point where cryptography cannot remove/deprecate API portions within certain version ranges to preserve compatibility. See past revisions of the cryptography port (iirc) for inspo on how to do this, before I get to it.
(In reply to Charlie Li from comment #15) I think it's not hurry now, as currently there is no consumer of py-cryptography-legacy or the direct consumer of legacy py-openssl (which uses py-cryptography-legacy) so we can update py-openssl to let its consumers working first. We can add py-openssl-legacy when needed.
Hello. py39-certbot-2.6.0,1 = up-to-date with index py39-josepy-1.13.0 = up-to-date with index py39-openssl-21.0.0,1 = up-to-date with index python39-3.9.17 = up-to-date with index py39-cryptography-41.0.3,1 = up-to-date with index # certbot -q renew --allow-subset-of-names Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/bin/certbot", line 25, in importlib_load_entry_point return next(matches).load() File "/usr/local/lib/python3.9/importlib/metadata.py", line 86, in load module = import_module(match.group('module')) File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1030, in _gcd_import File "<frozen importlib._bootstrap>", line 1007, in _find_and_load File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 680, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 850, in exec_module File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 6, in <module> from certbot._internal import main as internal_main File "/usr/local/lib/python3.9/site-packages/certbot/_internal/main.py", line 21, in <module> import josepy as jose File "/usr/local/lib/python3.9/site-packages/josepy/__init__.py", line 40, in <module> from josepy.json_util import ( File "/usr/local/lib/python3.9/site-packages/josepy/json_util.py", line 14, in <module> from OpenSSL import crypto File "/usr/local/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import crypto, SSL File "/usr/local/lib/python3.9/site-packages/OpenSSL/crypto.py", line 3279, in <module> _lib.OpenSSL_add_all_algorithms() AttributeError: module 'lib' has no attribute 'OpenSSL_add_all_algorithms' How to fix?
Created attachment 244518 [details] integrated patch
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=11e8f3c89438ceef19d425937a4e9de5085f9002 commit 11e8f3c89438ceef19d425937a4e9de5085f9002 Author: Li-Wen Hsu <lwhsu@FreeBSD.org> AuthorDate: 2023-08-31 13:27:26 +0000 Commit: Li-Wen Hsu <lwhsu@FreeBSD.org> CommitDate: 2023-08-31 13:27:26 +0000 security/py-openssl: Update to 23.2.0 This patch combines the efforts from the people invloved in the PR. I just do the integrating and testing. PR: 266680 Approved by: sbz (earlier version) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D39037 security/py-openssl/Makefile | 24 +++++++++--------------- security/py-openssl/distinfo | 6 +++--- 2 files changed, 12 insertions(+), 18 deletions(-)
(In reply to commit-hook from comment #19) Can confirm this patch/update works, it fixed my policyd-spf (that uses py-openssl) problem. Cheers, László
(In reply to Li-Wen Hsu from comment #16) We will need to come up with a story around these -legacy vs non-legacy consumers: the -legacy ones will need to be marked broken on >=3.x and the non-legacy ones need to be marked broken on <3.x--otherwise the package builders are going to complain because of OpenSSL in base in 12.x/13.x. It's a bit of a tricky pickle too because of upstream ports deprecating support for OpenSSL 1.1--for good reason since it's EOL in another month--but that's a side-discussion for a different forum.
(In reply to Li-Wen Hsu from comment #16) Anyone who sets legacy for the cryptography DEFAULT_VERSIONS is a consumer. While not visible on say FreshPorts or anything that tracks the default DEFAULT_VERSIONS, you still have to account for those cases. A separate PyOpenSSL-legacy port is not feasible or in users' best interest in any case, since it would involve not only a new port, but possibly even an additional DEFAULT_VERSIONS knob. Such would only cause more confusion for users, who should not need to closely track cryptography and PyOpenSSL's development, to figure out which combination works with what. There is no API compatibility guarantee between different versions of the two packages, and because the two packages do not sync development or releases between themselves, some contention in this area has and will continue to happen. Hence why the best approach is to provide both 21.0.0 and whatever the current version is/becomes in the same port, gated on the DEFAULT_VERSIONS setting.