svn commit: r518476 - in head: . net/py-urllib3 net/py-urllib3/files
Kai Knoblich
kai at FreeBSD.org
Tue Nov 26 18:37:59 UTC 2019
Author: kai
Date: Tue Nov 26 18:37:58 2019
New Revision: 518476
URL: https://svnweb.freebsd.org/changeset/ports/518476
Log:
net/py-urllib3: Update to 1.25.6
* Convert the RUN_DEPENDS into separate OPTIONS as they are listed as extra
dependencies in setup.py. Also set those as default that contain the
previous RUN_DEPENDS to allow a clean transition.
* Remove the Python-specific version limitation for security/py-certifi
because it's required for all Python versions.
* Also remove the info about the broken IPv6 support of net/py-socks (was
broken in 1.5.7) and the relevant patch as both are obsolete.
* Update the TEST_DEPENDS and add a "do-test" target to make future QA easier.
Please note that a MFH won't be done as it didn't get an approval because
there are too much changes to make it work in the 2019Q4 branch. [1]
Notable changes since 1.22:
* Require and validate certificates by default when using HTTPS.
* Add mitigation for BPO-37428 affecting Python < 3.7.4 and OpenSSL 1.1.1+
which caused certificate verification to be enabled when using
"cert_reqs=CERT_NONE".
* Add TLSv1.3 support to CPython, pyOpenSSL and SecureTransport "SSLContext"
implementations.
https://github.com/urllib3/urllib3/blob/1.25.6/CHANGES.rst
Exp-run by: antoine
PR: 229322 [1]
Reported by: Patrice Clement <monsieurp at gentoo.org>
Security: 87270ba5-03d3-11ea-b81f-3085a9a95629
Deleted:
head/net/py-urllib3/files/patch-setup.py
Modified:
head/UPDATING
head/net/py-urllib3/Makefile
head/net/py-urllib3/distinfo
head/net/py-urllib3/files/pkg-message.in
Modified: head/UPDATING
==============================================================================
--- head/UPDATING Tue Nov 26 17:45:35 2019 (r518475)
+++ head/UPDATING Tue Nov 26 18:37:58 2019 (r518476)
@@ -5,6 +5,28 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20191126:
+ AFFECTS: consumers of net/py-urllib3
+ AUTHOR: kai at FreeBSD.org
+
+ Since version 1.25 HTTPS connections are now verified by default which is
+ done via "cert_reqs = 'CERT_REQUIRED'". While certificate verification
+ can be disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to
+ leave it on.
+
+ Various consumers of net/py-urllib3 already have implemented routines that
+ either explicitly enable or disable HTTPS certificate verification (e.g.
+ via configuration settings, CLI arguments, etc.).
+
+ Yet it may happen that there are still some consumers which don't
+ explicitly enable/disable certificate verification for HTTPS connections
+ which could then lead to errors (as is often the case with self-signed
+ certificates).
+
+ In case of an error one should try first to temporarily disable
+ certificate verification of the problematic urllib3 consumer to see if
+ this approach will remedy the issue.
+
20191125:
AFFECTS: users of emulators/qemu
AUTHOR: bofh at FreeBSD.org
Modified: head/net/py-urllib3/Makefile
==============================================================================
--- head/net/py-urllib3/Makefile Tue Nov 26 17:45:35 2019 (r518475)
+++ head/net/py-urllib3/Makefile Tue Nov 26 18:37:58 2019 (r518476)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= urllib3
-PORTVERSION= 1.22
+PORTVERSION= 1.25.6
PORTEPOCH= 1
CATEGORIES= net python
MASTER_SITES= CHEESESHOP
@@ -14,25 +14,30 @@ COMMENT= HTTP library with thread-safe connection pool
LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/LICENSE.txt
-RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \
- ${PY_IPADDRESS} \
- ${PYTHON_PKGNAMEPREFIX}openssl>=16.0:security/py-openssl@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.7:net/py-pysocks@${PY_FLAVOR}
TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}mock>=0:devel/py-mock@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}nose>=0:devel/py-nose@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR}
-#TEST_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR}
+ ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR}
USES= python
USE_PYTHON= autoplist concurrent distutils
+
NO_ARCH= yes
SUB_FILES= pkg-message
-.include <bsd.port.pre.mk>
+OPTIONS_DEFINE= BROTLI SOCKS SSL
+OPTIONS_DEFAULT=SOCKS SSL
-.if ${PYTHON_REL} < 3400
-RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR}
-.endif
+BROTLI_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}brotlipy>=0.6.0:archivers/py-brotlipy@${PY_FLAVOR}
+SOCKS_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.6:net/py-pysocks@${PY_FLAVOR}
+SSL_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}openssl>=0.14:security/py-openssl@${PY_FLAVOR} \
+ ${PY_IPADDRESS}
-.include <bsd.port.post.mk>
+# Test 'test_ssl_read_timeout' fails with FreeBSD >= 12.0. That was already the
+# case with earlier versions of net/py-urllib3.
+do-test:
+ @cd ${WRKSRC} && ${SETENV} LC_ALL=en_US.UTF-8 ${PYTHON_CMD} -m pytest -v -rs -k 'not test_ssl_read_timeout'
+
+.include <bsd.port.mk>
Modified: head/net/py-urllib3/distinfo
==============================================================================
--- head/net/py-urllib3/distinfo Tue Nov 26 17:45:35 2019 (r518475)
+++ head/net/py-urllib3/distinfo Tue Nov 26 18:37:58 2019 (r518476)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1500642203
-SHA256 (urllib3-1.22.tar.gz) = cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f
-SIZE (urllib3-1.22.tar.gz) = 226083
+TIMESTAMP = 1574013088
+SHA256 (urllib3-1.25.6.tar.gz) = 9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86
+SIZE (urllib3-1.25.6.tar.gz) = 248292
Modified: head/net/py-urllib3/files/pkg-message.in
==============================================================================
--- head/net/py-urllib3/files/pkg-message.in Tue Nov 26 17:45:35 2019 (r518475)
+++ head/net/py-urllib3/files/pkg-message.in Tue Nov 26 18:37:58 2019 (r518476)
@@ -1,7 +1,21 @@
[
-{ type: install
+{
message: <<EOM
-Be careful, support of IPv6 is broken with PySocks 1.5.7.
+Since version 1.25 HTTPS connections are now verified by default which is done
+via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
+disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
+
+Various consumers of net/py-urllib3 already have implemented routines that
+either explicitly enable or disable HTTPS certificate verification (e.g. via
+configuration settings, CLI arguments, etc.).
+
+Yet it may happen that there are still some consumers which don't explicitly
+enable/disable certificate verification for HTTPS connections which could then
+lead to errors (as is often the case with self-signed certificates).
+
+In case of an error one should try first to temporarily disable certificate
+verification of the problematic urllib3 consumer to see if that approach will
+remedy the issue.
EOM
}
]
More information about the svn-ports-all
mailing list