Date: Tue, 26 Nov 2019 18:37:58 +0000 (UTC) From: Kai Knoblich <kai@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r518476 - in head: . net/py-urllib3 net/py-urllib3/files Message-ID: <201911261837.xAQIbwGe090648@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kai Date: Tue Nov 26 18:37:58 2019 New Revision: 518476 URL: https://svnweb.freebsd.org/changeset/ports/518476 Log: net/py-urllib3: Update to 1.25.6 * Convert the RUN_DEPENDS into separate OPTIONS as they are listed as extra dependencies in setup.py. Also set those as default that contain the previous RUN_DEPENDS to allow a clean transition. * Remove the Python-specific version limitation for security/py-certifi because it's required for all Python versions. * Also remove the info about the broken IPv6 support of net/py-socks (was broken in 1.5.7) and the relevant patch as both are obsolete. * Update the TEST_DEPENDS and add a "do-test" target to make future QA easier. Please note that a MFH won't be done as it didn't get an approval because there are too much changes to make it work in the 2019Q4 branch. [1] Notable changes since 1.22: * Require and validate certificates by default when using HTTPS. * Add mitigation for BPO-37428 affecting Python < 3.7.4 and OpenSSL 1.1.1+ which caused certificate verification to be enabled when using "cert_reqs=CERT_NONE". * Add TLSv1.3 support to CPython, pyOpenSSL and SecureTransport "SSLContext" implementations. https://github.com/urllib3/urllib3/blob/1.25.6/CHANGES.rst Exp-run by: antoine PR: 229322 [1] Reported by: Patrice Clement <monsieurp@gentoo.org> Security: 87270ba5-03d3-11ea-b81f-3085a9a95629 Deleted: head/net/py-urllib3/files/patch-setup.py Modified: head/UPDATING head/net/py-urllib3/Makefile head/net/py-urllib3/distinfo head/net/py-urllib3/files/pkg-message.in Modified: head/UPDATING ============================================================================== --- head/UPDATING Tue Nov 26 17:45:35 2019 (r518475) +++ head/UPDATING Tue Nov 26 18:37:58 2019 (r518476) @@ -5,6 +5,28 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20191126: + AFFECTS: consumers of net/py-urllib3 + AUTHOR: kai@FreeBSD.org + + Since version 1.25 HTTPS connections are now verified by default which is + done via "cert_reqs = 'CERT_REQUIRED'". While certificate verification + can be disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to + leave it on. + + Various consumers of net/py-urllib3 already have implemented routines that + either explicitly enable or disable HTTPS certificate verification (e.g. + via configuration settings, CLI arguments, etc.). + + Yet it may happen that there are still some consumers which don't + explicitly enable/disable certificate verification for HTTPS connections + which could then lead to errors (as is often the case with self-signed + certificates). + + In case of an error one should try first to temporarily disable + certificate verification of the problematic urllib3 consumer to see if + this approach will remedy the issue. + 20191125: AFFECTS: users of emulators/qemu AUTHOR: bofh@FreeBSD.org Modified: head/net/py-urllib3/Makefile ============================================================================== --- head/net/py-urllib3/Makefile Tue Nov 26 17:45:35 2019 (r518475) +++ head/net/py-urllib3/Makefile Tue Nov 26 18:37:58 2019 (r518476) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= urllib3 -PORTVERSION= 1.22 +PORTVERSION= 1.25.6 PORTEPOCH= 1 CATEGORIES= net python MASTER_SITES= CHEESESHOP @@ -14,25 +14,30 @@ COMMENT= HTTP library with thread-safe connection pool LICENSE= MIT LICENSE_FILE= ${WRKSRC}/LICENSE.txt -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \ - ${PY_IPADDRESS} \ - ${PYTHON_PKGNAMEPREFIX}openssl>=16.0:security/py-openssl@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.7:net/py-pysocks@${PY_FLAVOR} TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}mock>=0:devel/py-mock@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}nose>=0:devel/py-nose@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR} -#TEST_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR} + ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR} USES= python USE_PYTHON= autoplist concurrent distutils + NO_ARCH= yes SUB_FILES= pkg-message -.include <bsd.port.pre.mk> +OPTIONS_DEFINE= BROTLI SOCKS SSL +OPTIONS_DEFAULT=SOCKS SSL -.if ${PYTHON_REL} < 3400 -RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR} -.endif +BROTLI_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}brotlipy>=0.6.0:archivers/py-brotlipy@${PY_FLAVOR} +SOCKS_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.6:net/py-pysocks@${PY_FLAVOR} +SSL_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}openssl>=0.14:security/py-openssl@${PY_FLAVOR} \ + ${PY_IPADDRESS} -.include <bsd.port.post.mk> +# Test 'test_ssl_read_timeout' fails with FreeBSD >= 12.0. That was already the +# case with earlier versions of net/py-urllib3. +do-test: + @cd ${WRKSRC} && ${SETENV} LC_ALL=en_US.UTF-8 ${PYTHON_CMD} -m pytest -v -rs -k 'not test_ssl_read_timeout' + +.include <bsd.port.mk> Modified: head/net/py-urllib3/distinfo ============================================================================== --- head/net/py-urllib3/distinfo Tue Nov 26 17:45:35 2019 (r518475) +++ head/net/py-urllib3/distinfo Tue Nov 26 18:37:58 2019 (r518476) @@ -1,3 +1,3 @@ -TIMESTAMP = 1500642203 -SHA256 (urllib3-1.22.tar.gz) = cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f -SIZE (urllib3-1.22.tar.gz) = 226083 +TIMESTAMP = 1574013088 +SHA256 (urllib3-1.25.6.tar.gz) = 9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86 +SIZE (urllib3-1.25.6.tar.gz) = 248292 Modified: head/net/py-urllib3/files/pkg-message.in ============================================================================== --- head/net/py-urllib3/files/pkg-message.in Tue Nov 26 17:45:35 2019 (r518475) +++ head/net/py-urllib3/files/pkg-message.in Tue Nov 26 18:37:58 2019 (r518476) @@ -1,7 +1,21 @@ [ -{ type: install +{ message: <<EOM -Be careful, support of IPv6 is broken with PySocks 1.5.7. +Since version 1.25 HTTPS connections are now verified by default which is done +via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be +disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on. + +Various consumers of net/py-urllib3 already have implemented routines that +either explicitly enable or disable HTTPS certificate verification (e.g. via +configuration settings, CLI arguments, etc.). + +Yet it may happen that there are still some consumers which don't explicitly +enable/disable certificate verification for HTTPS connections which could then +lead to errors (as is often the case with self-signed certificates). + +In case of an error one should try first to temporarily disable certificate +verification of the problematic urllib3 consumer to see if that approach will +remedy the issue. EOM } ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201911261837.xAQIbwGe090648>