Your message dated Sun, 31 May 2026 12:05:12 +0000
with message-id <[email protected]>
and subject line Bug#1138515: fixed in python-xmlsec 1.3.17-2
has caused the Debian Bug report #1138515,
regarding please add patch from PR422 to support xmlsec1 1.3.11
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1138515: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138515
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-xmlsec
Version: 1.3.14-3
Severity: important
X-Debbugs-Cc: [email protected]
Hi,
thanks for the quick 1.3.14 -> 1.3.17 update.
I am picking up the xmlsec 1.3.11 transition stuff again (which will be
needed for an eventual openssl 4.0.0 transition anyway). As I mentioned
in #1138490 there is
https://github.com/xmlsec/python-xmlsec/commit/5e8b4e6aa133c358b8aaf8e17ceb5b3b7fea78e8
supposed to fix the build with xmlsec1 1.3.11. It does fix the test so
that it does not segfault anymore
(but now gets into a _hashlib.UnsupportedDigestmodError: unsupported hash type
sha384
while xmlsec1 does build with SHA384 support and according to
https://docs.python.org/3/library/hashlib.html it's suppsed to be there
all times? Something for later though. Will ask on the ml.... At least
that is better than before though)
A build with xmlsec1 1.3.10 also still works.
(deb)diff attached.
Regards,
Rene
diff -Nru python-xmlsec-1.3.17/debian/changelog python-xmlsec-1.3.17/debian/changelog
--- python-xmlsec-1.3.17/debian/changelog 2026-05-30 22:59:12.000000000 +0200
+++ python-xmlsec-1.3.17/debian/changelog 2026-05-31 09:56:32.000000000 +0200
@@ -1,3 +1,10 @@
+python-xmlsec (1.3.17-2) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * add patch for PR422 for xmlsec1 1.3.11 support (closes: #FIXME)
+
+ -- Rene Engelhard <[email protected]> Sun, 31 May 2026 09:56:32 +0200
+
python-xmlsec (1.3.17-1) unstable; urgency=medium
* Team upload.
diff -Nru python-xmlsec-1.3.17/debian/patches/pr422.patch python-xmlsec-1.3.17/debian/patches/pr422.patch
--- python-xmlsec-1.3.17/debian/patches/pr422.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-xmlsec-1.3.17/debian/patches/pr422.patch 2026-05-31 09:28:57.000000000 +0200
@@ -0,0 +1,96 @@
+From 5e8b4e6aa133c358b8aaf8e17ceb5b3b7fea78e8 Mon Sep 17 00:00:00 2001
+From: Amin Solhizadeh <[email protected]>
+Date: Tue, 28 Apr 2026 09:19:53 +0200
+Subject: [PATCH] Bump xmlsec1 unix lib to 1.3.11 (#422)
+
+xmlsec1 1.3.11 may call OPENSSL_cleanup() from the OpenSSL
+backend during shutdown. OpenSSL cannot be reinitialized in the
+same process after that cleanup runs.
+
+Update the lifecycle test to call init() before shutdown(), run it
+last, and stop testing shutdown/init reinitialization. Document the
+new lifecycle constraint in the module docs and runtime docstrings.
+
+See https://github.com/lsh123/xmlsec/issues/1148 for details.
+---
+ src/main.c | 13 ++++++++++---
+ tests/conftest.py | 11 ++++++-----
+ tests/test_xmlsec.py | 13 ++++++++-----
+ 6 files changed, 37 insertions(+), 15 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index 61eac139..c7dac2b5 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -101,8 +101,11 @@ static int PyXmlSec_Init(void) {
+ static char PyXmlSec_PyInit__doc__[] = \
+ "init() -> None\n"
+ "Initializes the library for general operation.\n\n"
+- "This is called upon library import and does not need to be called\n"
+- "again :func:`~.shutdown` is called explicitly).\n";
++ "This is called upon library import and normally does not need to be\n"
++ "called explicitly. It is only valid before shutdown() has been called.\n\n"
++ "Calling init() after shutdown() is unsupported because upstream\n"
++ "xmlsec1 1.3.11+ may call OPENSSL_cleanup() during shutdown, and OpenSSL\n"
++ "cannot be reinitialized in the same process after that cleanup.\n";
+ static PyObject* PyXmlSec_PyInit(PyObject *self) {
+ if (PyXmlSec_Init() < 0) {
+ return NULL;
+@@ -114,7 +117,11 @@ static char PyXmlSec_PyShutdown__doc__[] = \
+ "shutdown() -> None\n"
+ "Shutdowns the library and cleanup any leftover resources.\n\n"
+ "This is called automatically upon interpreter termination and\n"
+- "should not need to be called explicitly.";
++ "should not need to be called explicitly.\n\n"
++ "Shutdown is process-final. Do not call init() after shutdown(),\n"
++ "because upstream xmlsec1 1.3.11+ may call OPENSSL_cleanup() during shutdown,\n"
++ "and OpenSSL cannot be reinitialized in the same process after that\n"
++ "cleanup.";
+ static PyObject* PyXmlSec_PyShutdown(PyObject* self) {
+ PyXmlSec_Free(free_mode);
+ Py_RETURN_NONE;
+diff --git a/tests/conftest.py b/tests/conftest.py
+index a65235d5..4d57ef10 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -1,10 +1,11 @@
+ def pytest_collection_modifyitems(items):
+- """Put the module init test first.
++ """Put the module shutdown test last.
+
+- This way, we implicitly check whether any subsequent test fails because of module reinitialization.
++ xmlsec shutdown is process-final with OpenSSL cleanup introduced in
++ xmlsec1 1.3.11, so no tests should use xmlsec after it runs.
+ """
+
+- def module_init_tests_first(item):
+- return int('test_xmlsec.py::TestModule::test_reinitialize_module' not in item.nodeid)
++ def module_init_shutdown_tests_last(item):
++ return int('test_xmlsec.py::TestModule::test_init_shutdown_module' in item.nodeid)
+
+- items.sort(key=module_init_tests_first)
++ items.sort(key=module_init_shutdown_tests_last)
+diff --git a/tests/test_xmlsec.py b/tests/test_xmlsec.py
+index 52dce2b3..4267ac2a 100644
+--- a/tests/test_xmlsec.py
++++ b/tests/test_xmlsec.py
+@@ -3,11 +3,14 @@
+
+
+ class TestModule(base.TestMemoryLeaks):
+- def test_reinitialize_module(self):
+- """This test doesn't explicitly verify anything, but will be invoked first in the suite.
++ iterations = 0
+
+- So if the subsequent tests don't fail, we know that the ``init()``/``shutdown()``
+- function pair doesn't break anything.
++ def test_init_shutdown_module(self):
++ """Check explicit initialization before final module shutdown.
++
++ This test is invoked last because shutdown is process-final: since
++ xmlsec1 1.3.11, its OpenSSL backend may call OPENSSL_cleanup(), after
++ which OpenSSL cannot be reinitialized in the same process.
+ """
+- xmlsec.shutdown()
+ xmlsec.init()
++ xmlsec.shutdown()
diff -Nru python-xmlsec-1.3.17/debian/patches/series python-xmlsec-1.3.17/debian/patches/series
--- python-xmlsec-1.3.17/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-xmlsec-1.3.17/debian/patches/series 2026-05-31 09:26:56.000000000 +0200
@@ -0,0 +1 @@
+pr422.patch
--- End Message ---
--- Begin Message ---
Source: python-xmlsec
Source-Version: 1.3.17-2
Done: Rene Engelhard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-xmlsec, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Engelhard <[email protected]> (supplier of updated python-xmlsec package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 31 May 2026 09:56:32 +0200
Source: python-xmlsec
Architecture: source
Version: 1.3.17-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Rene Engelhard <[email protected]>
Closes: 1138515
Changes:
python-xmlsec (1.3.17-2) unstable; urgency=medium
.
* Team upload.
* add patch for PR422 for xmlsec1 1.3.11 support (closes: #1138515)
Checksums-Sha1:
355ff1f4a21c69576c975d08b5e2ff9da1a69fd7 2254 python-xmlsec_1.3.17-2.dsc
d4f3b61de87691ff579222ddd35cd7dd20c9102d 4420
python-xmlsec_1.3.17-2.debian.tar.xz
c720ed0f457a69b4350c4ab311e4e1f289237d2f 8967
python-xmlsec_1.3.17-2_source.buildinfo
Checksums-Sha256:
d13370230d1c19de1a425fedb0763106d7bd5294c0120ed7b506b1903f8db9d6 2254
python-xmlsec_1.3.17-2.dsc
b961e749f029a7b4b409920d74cbfc837ffc9f35d6ff47394b5d80943faef214 4420
python-xmlsec_1.3.17-2.debian.tar.xz
5e14cb2d6287729137517e554cab4a5eecc0c8c5004389b1811db588ec5460e3 8967
python-xmlsec_1.3.17-2_source.buildinfo
Files:
c8a00e2f5f2b34707666cac9ce34cf09 2254 python optional
python-xmlsec_1.3.17-2.dsc
e1fa7008d5309dad3f0d10966a22c723 4420 python optional
python-xmlsec_1.3.17-2.debian.tar.xz
848226538932fdea8bc274a472f18daf 8967 python optional
python-xmlsec_1.3.17-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEj23hBDd/OxHnQXSHMfMURUShdBoFAmocH68ACgkQMfMURUSh
dBqR9w//e5N08ZaXs3Pyagyxjnrim/lOyk8l2qf0FK1eiGJ4+RlMmmprGZhkPWXg
jbeqhpv/jZJ3wWNO6PuRFETovafATXlhHzCS30YyAs+vUHDbFeiwoadw8nQKzadc
zdJmzSMEcbVRXhuBxWyHjfr/RhzY5v8GK7pWTjxHdSSlRq8mhUzZSagBS1tdE9yS
wuBLSORI/mQBPNPqrqzhgGyV96LPPVA4ryc9p++ixxOuqu/GGsYK5fJD66ho/bQI
Cf8+eH7hRQhyMczOKkaEyMPKield2t4TxOc8/V4A+Pu8YY0GB69I26O0uSr05NYp
9EASPQch1L0BaVXQXwhYwShB8wPvsqW/VFSUsc9C1SQ6NvfWQw/MO6HYYImgNezz
bbQoz1UUVCYjQqyu23LcJHX1i7kFCw2ixDzz0a0+c7eYTRUiMkM6o40v4P9z/2hI
mbMDUq6pgG2w5EHVl600lRVZHd3q9nZB6nBQrfyLryeayp89UnPdXt9fzDQljIJv
o77UXrxPgPCTHg28ocfVeuF7YevuIp6qQ4ZfZshyoYChqFObYKYRo6T99m+SlbVF
cD+hf6v8q0EmSsjovsv57RfhiHksweyR3cTWzBnba8xcXOolmNGCW5xmzE53bBF0
7NE+wt4cGIV/L5r6w/opGga1nG2rDPq2CgJifl6miFTduQ7/pnk=
=X8e2
-----END PGP SIGNATURE-----
pgpn9U5v1PZdM.pgp
Description: PGP signature
--- End Message ---
