Bug#1026802: marked as done (python3.10: Should be built with --with-ssl-default-suites=openssl)

Debian Bug Tracking System Thu, 09 Feb 2023 21:27:19 -0800

Your message dated Fri, 10 Feb 2023 05:22:04 +0000
with message-id <[email protected]>
and subject line Bug#1009189: fixed in python3.11 3.11.2-3
has caused the Debian Bug report #1009189,
regarding python3.10: Should be built with --with-ssl-default-suites=openssl
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1009189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009189
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: python3.10
Version: 3.10.9-1
Severity: wishlist
User: [email protected]
Usertags: origin-kali
X-Debbugs-Cc: [email protected]

Hello Mathias (and other Python maintainers),

it would be nice if python3.10 (and future versions) could be built with
--with-ssl-default-suites=openssl.

Starting with Python 3.10, with the default configuration
("--with-ssl-default-suites=python"), Python not only enforces its own
cipher list but also requires TLS1.2 as a minimal protocol version.

This is certainly a sensible thing to do in the context of Python upstream
where you don't know much about the rest of the environment but in the
context of Debian, it makes sense to not duplicate such restrictions at
all levels and leave that to the sane defaults that are regularly reviewed
in the openssl source package itself (which currently sets
OPENSSL_TLS_SECURITY_LEVEL=2).

This also means that it's possible for users to actually override the
system wide defaults through changes to /etc/ssl/openssl.cnf and we are
actually making this possible in Kali to reduce the security level and
make it possible to access old insecure servers. However despite our
changes, the Python applications are not able to use old TLS versions,
due to the restrictions imposed by Python itself.

Credit goes to Adrian Vollmer who reported this to Kali here:
https://bugs.kali.org/view.php?id=8097

Let me know if you are open to this idea, and if you want a merge request.

Cheers,

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.0.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages python3.10 depends on:
ii  libpython3.10-stdlib  3.10.9-1
ii  media-types           8.0.0
ii  mime-support          3.66
ii  python3.10-minimal    3.10.9-1

python3.10 recommends no packages.

Versions of packages python3.10 suggests:
ii  binutils         2.39.50.20221208-5
ii  python3.10-doc   3.10.9-1
pn  python3.10-venv  <none>

-- no debconf information

-- 
Raphaël Hertzog

--- End Message ---

--- Begin Message ---

Source: python3.11
Source-Version: 3.11.2-3
Done: Matthias Klose <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python3.11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <[email protected]> (supplier of updated python3.11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Feb 2023 05:59:34 +0100
Source: python3.11
Architecture: source
Version: 3.11.2-3
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <[email protected]>
Changed-By: Matthias Klose <[email protected]>
Closes: 960869 1009189 1026802
Changes:
 python3.11 (3.11.2-3) unstable; urgency=medium
 .
   [ Stefano Rivera ]
   * Refresh patches.
   * Revert pip importlib.metadata workaround, fixed in pip 22.2.
   * Declare python3.11 to be PEP 668 EXTERNALLY-MANAGED.
   * Update and install README.venv, explaining this.
   * Recommend ca-certificates from python3.11. Closes: #960869.
   * Configure --with-ssl-default-suites=openssl. Closes: #1026802.
   * Update watch file.
   * Include CCSHARED override in distutils test_customize_compiler.
 .
   [Matthias Klose]
   * Really new upstream version.
   * Configure --with-ssl-default-suites=openssl. Closes: #1009189.
   * Build-depend on libb2-dev.
   * Fix removing Debian build flags from _sysconfigdata. LP: #2006738.
Checksums-Sha1:
 c9d3ce7155d1f4524cb8a6a70f16d3e4349d2758 3643 python3.11_3.11.2-3.dsc
 3f561c6768d83b2891ee115639a5770fa647ed42 212616 
python3.11_3.11.2-3.debian.tar.xz
 8f96fae2f9b86b843a24c7be6997ed677786140c 10119 
python3.11_3.11.2-3_source.buildinfo
Checksums-Sha256:
 51f6a5b586405f7ba58277caf311925d24dbbd3ca55388d8d7aa33779be9f3c5 3643 
python3.11_3.11.2-3.dsc
 f1a9bb6451dbb39816dd74c9ddcf39bed33d52864902842f7382f333337d1fa1 212616 
python3.11_3.11.2-3.debian.tar.xz
 81254d87d6167671c7f4f673aca2c87d8c12614f271dc6cd0bd9fab88e4bc4f4 10119 
python3.11_3.11.2-3_source.buildinfo
Files:
 36fea41b53ce93aa75b1e49063bb428b 3643 python optional python3.11_3.11.2-3.dsc
 8524d5c31fd8cb7cce938851901c26e8 212616 python optional 
python3.11_3.11.2-3.debian.tar.xz
 7b291492e48693901cdaa87c8c07394f 10119 python optional 
python3.11_3.11.2-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmPlz8QQHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9b1GEADK5dNZLdHxleNUG/eV5JR8ITMHcCkme+uG
Kxqdot8U1fTPXxQyk4rDB/xkujetz0gsHI7jGmuUbAtHwDeDL/uZPI5sv6kS7MKx
g85EcCchsFfw5d0zN7wN1mxYHe7nDQHZMncw0X4Gcx2hcF1imO9LbngHqP7ivtat
8qkk0O3xe5yZGc/HFXmc1MnjCcdhuPvHdRow+O8DVCpVyx5b6M0CVsEpFzNUANza
Hv6PYEPk6uvSS9CuyeBcRI2j1xJ5dMZjB3/r8QntCgCe9zdDUluYcqr8hVT6L8MK
dNT0QBRD1HHO4+MuBMnXa5V+CDltDPDD9qArDV7OOsog5MLkOuRvM5CjOcdGAINj
8973gZwUGUB89FLAgdAHOoijaEg/ZGE+CLhbohUT3/fAHQQyscxiF7j3lh9OOg1/
sgF9HKkjOKzNgevR21dZ8VQk3EkHhsDtEWvm03P39PpyAhL6gxB1zR1oqr3yo/Z5
zGVS6NIgHmB9lzRUbn0aQZbL9JN8pFF7EMaRRnD1VHQdMQDxhoxdwyUbJ6fojLsS
G3B0gKuR905B8NdsXBlMIcBJqWHIADLiLlwe7K5L2EaaDGPrVCjDymMsgddH8jKb
uRlLGU9VY8YX42Q1up+Nt/9nXu/9bp4a008u5Lz1CxKxGwLgYjUnOD72r2tucBVt
rX5166XQLA==
=llwt
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1026802: marked as done (python3.10: Should be built with --with-ssl-default-suites=openssl)

Reply via email to