Source: python-xmlsec Version: 1.3.14-3 Severity: important X-Debbugs-Cc: [email protected]
Hi, thanks for the quick 1.3.14 -> 1.3.17 update. I am picking up the xmlsec 1.3.11 transition stuff again (which will be needed for an eventual openssl 4.0.0 transition anyway). As I mentioned in #1138490 there is https://github.com/xmlsec/python-xmlsec/commit/5e8b4e6aa133c358b8aaf8e17ceb5b3b7fea78e8 supposed to fix the build with xmlsec1 1.3.11. It does fix the test so that it does not segfault anymore (but now gets into a _hashlib.UnsupportedDigestmodError: unsupported hash type sha384 while xmlsec1 does build with SHA384 support and according to https://docs.python.org/3/library/hashlib.html it's suppsed to be there all times? Something for later though. Will ask on the ml.... At least that is better than before though) A build with xmlsec1 1.3.10 also still works. (deb)diff attached. Regards, Rene
diff -Nru python-xmlsec-1.3.17/debian/changelog python-xmlsec-1.3.17/debian/changelog --- python-xmlsec-1.3.17/debian/changelog 2026-05-30 22:59:12.000000000 +0200 +++ python-xmlsec-1.3.17/debian/changelog 2026-05-31 09:56:32.000000000 +0200 @@ -1,3 +1,10 @@ +python-xmlsec (1.3.17-2) UNRELEASED; urgency=medium + + * Team upload. + * add patch for PR422 for xmlsec1 1.3.11 support (closes: #FIXME) + + -- Rene Engelhard <[email protected]> Sun, 31 May 2026 09:56:32 +0200 + python-xmlsec (1.3.17-1) unstable; urgency=medium * Team upload. diff -Nru python-xmlsec-1.3.17/debian/patches/pr422.patch python-xmlsec-1.3.17/debian/patches/pr422.patch --- python-xmlsec-1.3.17/debian/patches/pr422.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-xmlsec-1.3.17/debian/patches/pr422.patch 2026-05-31 09:28:57.000000000 +0200 @@ -0,0 +1,96 @@ +From 5e8b4e6aa133c358b8aaf8e17ceb5b3b7fea78e8 Mon Sep 17 00:00:00 2001 +From: Amin Solhizadeh <[email protected]> +Date: Tue, 28 Apr 2026 09:19:53 +0200 +Subject: [PATCH] Bump xmlsec1 unix lib to 1.3.11 (#422) + +xmlsec1 1.3.11 may call OPENSSL_cleanup() from the OpenSSL +backend during shutdown. OpenSSL cannot be reinitialized in the +same process after that cleanup runs. + +Update the lifecycle test to call init() before shutdown(), run it +last, and stop testing shutdown/init reinitialization. Document the +new lifecycle constraint in the module docs and runtime docstrings. + +See https://github.com/lsh123/xmlsec/issues/1148 for details. +--- + src/main.c | 13 ++++++++++--- + tests/conftest.py | 11 ++++++----- + tests/test_xmlsec.py | 13 ++++++++----- + 6 files changed, 37 insertions(+), 15 deletions(-) + +diff --git a/src/main.c b/src/main.c +index 61eac139..c7dac2b5 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -101,8 +101,11 @@ static int PyXmlSec_Init(void) { + static char PyXmlSec_PyInit__doc__[] = \ + "init() -> None\n" + "Initializes the library for general operation.\n\n" +- "This is called upon library import and does not need to be called\n" +- "again :func:`~.shutdown` is called explicitly).\n"; ++ "This is called upon library import and normally does not need to be\n" ++ "called explicitly. It is only valid before shutdown() has been called.\n\n" ++ "Calling init() after shutdown() is unsupported because upstream\n" ++ "xmlsec1 1.3.11+ may call OPENSSL_cleanup() during shutdown, and OpenSSL\n" ++ "cannot be reinitialized in the same process after that cleanup.\n"; + static PyObject* PyXmlSec_PyInit(PyObject *self) { + if (PyXmlSec_Init() < 0) { + return NULL; +@@ -114,7 +117,11 @@ static char PyXmlSec_PyShutdown__doc__[] = \ + "shutdown() -> None\n" + "Shutdowns the library and cleanup any leftover resources.\n\n" + "This is called automatically upon interpreter termination and\n" +- "should not need to be called explicitly."; ++ "should not need to be called explicitly.\n\n" ++ "Shutdown is process-final. Do not call init() after shutdown(),\n" ++ "because upstream xmlsec1 1.3.11+ may call OPENSSL_cleanup() during shutdown,\n" ++ "and OpenSSL cannot be reinitialized in the same process after that\n" ++ "cleanup."; + static PyObject* PyXmlSec_PyShutdown(PyObject* self) { + PyXmlSec_Free(free_mode); + Py_RETURN_NONE; +diff --git a/tests/conftest.py b/tests/conftest.py +index a65235d5..4d57ef10 100644 +--- a/tests/conftest.py ++++ b/tests/conftest.py +@@ -1,10 +1,11 @@ + def pytest_collection_modifyitems(items): +- """Put the module init test first. ++ """Put the module shutdown test last. + +- This way, we implicitly check whether any subsequent test fails because of module reinitialization. ++ xmlsec shutdown is process-final with OpenSSL cleanup introduced in ++ xmlsec1 1.3.11, so no tests should use xmlsec after it runs. + """ + +- def module_init_tests_first(item): +- return int('test_xmlsec.py::TestModule::test_reinitialize_module' not in item.nodeid) ++ def module_init_shutdown_tests_last(item): ++ return int('test_xmlsec.py::TestModule::test_init_shutdown_module' in item.nodeid) + +- items.sort(key=module_init_tests_first) ++ items.sort(key=module_init_shutdown_tests_last) +diff --git a/tests/test_xmlsec.py b/tests/test_xmlsec.py +index 52dce2b3..4267ac2a 100644 +--- a/tests/test_xmlsec.py ++++ b/tests/test_xmlsec.py +@@ -3,11 +3,14 @@ + + + class TestModule(base.TestMemoryLeaks): +- def test_reinitialize_module(self): +- """This test doesn't explicitly verify anything, but will be invoked first in the suite. ++ iterations = 0 + +- So if the subsequent tests don't fail, we know that the ``init()``/``shutdown()`` +- function pair doesn't break anything. ++ def test_init_shutdown_module(self): ++ """Check explicit initialization before final module shutdown. ++ ++ This test is invoked last because shutdown is process-final: since ++ xmlsec1 1.3.11, its OpenSSL backend may call OPENSSL_cleanup(), after ++ which OpenSSL cannot be reinitialized in the same process. + """ +- xmlsec.shutdown() + xmlsec.init() ++ xmlsec.shutdown() diff -Nru python-xmlsec-1.3.17/debian/patches/series python-xmlsec-1.3.17/debian/patches/series --- python-xmlsec-1.3.17/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ python-xmlsec-1.3.17/debian/patches/series 2026-05-31 09:26:56.000000000 +0200 @@ -0,0 +1 @@ +pr422.patch
