Re: Python (was: Merging core-updates?)
Hello, Am Sun, Feb 19, 2023 at 11:24:44PM +0100 schrieb Andreas Enge: > python-graphviz does not pass its tests any more in core-updates, and > I can trace it back to your commit 3d388fe3d0475f2e991ae061cc1364529a97af42. > Adding python-mock back to native-inputs fixes it. I opted for this fix and could compile python-graphviz; this enables me to test the build of icecat now. Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 12:30:42PM +0100 schrieb Andreas Enge: > And another one: python-ecdsa This just built. Strange, but I will not complain! Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 10:59:35PM + schrieb Kaelyn: > It was mentioned recently that python-pycryptodome is / should be a drop-in > replacement for python-pycrypto (it is also says that in the package > description); Apparently it is not, as Lars wrote. And in any case, it does require some patching: I tried to compile python-potr with either of python-pycryptodome and python-pycryptodomex, and it fails in the check phase, where it tries to download pycrypto via pip. > perhaps replace the python-pycrypto input with python-pycryptodome for > python-potr, with a snippet to change the pycrypto dependency to pycryptodome > in python-potr's setup.py? Indeed this would be an alternative; but then here, I would still argue that it is not a "drop-in replacement" for python-potr (in C, one could imagine a separate project creating a library with the same soname). > After taking a peek at the poezio and python-potr git repos, the main > alternative I can see to patching the dependency is to remove python-potr > from poezio's inputs since python-potr is listed as an optional dependency in > poezio's setup.py (for its OTR plugin). But without python-potr, the tests fail... So it may be optional, but not for the tests. I took the liberty to update poezio while keeping the python-potr dependency, as it does not worsen the situation, and could be argued to improve it. Andreas
Re: Python (was: Merging core-updates?)
--- Original Message --- On Sunday, February 19th, 2023 at 10:08 PM, Andreas Enge wrote: > > There is poezio, which has a new release (0.14), with a license change to > gpl3+. I updated python-slixmpp, a dependency of poezio, but this is not > enough: The newest poezio still depends on python-potr, which in turn depends > on python-pycrypto. It was mentioned recently that python-pycryptodome is / should be a drop-in replacement for python-pycrypto (it is also says that in the package description); perhaps replace the python-pycrypto input with python-pycryptodome for python-potr, with a snippet to change the pycrypto dependency to pycryptodome in python-potr's setup.py? After taking a peek at the poezio and python-potr git repos, the main alternative I can see to patching the dependency is to remove python-potr from poezio's inputs since python-potr is listed as an optional dependency in poezio's setup.py (for its OTR plugin). Cheers, Kaelyn > > Andreas
Re: Python (was: Merging core-updates?)
Hello Ricardo, python-graphviz does not pass its tests any more in core-updates, and I can trace it back to your commit 3d388fe3d0475f2e991ae061cc1364529a97af42. Adding python-mock back to native-inputs fixes it. Or maybe python-pytest-mock should have python-mock as propagated input? It calls itself a "Thin-wrapper around the mock package for easier use with py.test", but does not even have python-mock as any kind of input. Thanks for your help, Andreas
Re: Python (was: Merging core-updates?)
There is poezio, which has a new release (0.14), with a license change to gpl3+. I updated python-slixmpp, a dependency of poezio, but this is not enough: The newest poezio still depends on python-potr, which in turn depends on python-pycrypto. Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 04:50:37PM +0100 schrieb Lars-Dominik Braun: > The rest seems to be alive > without any references to python-pycrypto. So these should be upgradable > and then we can drop python-pycrypto. I more or less got rid of one of them: python-ledgerblue. I have updated it from 0.1.16 of 2016 (!) to 0.1.44 of last month. The package builds, but the tests fail. I did not find an intermediate commit that would not depend on python-pycrypto, but pass its tests. (Well, I did not check each and every of them either.) I pushed nevertheless, since the situation is not worse than before. Maybe someone more knowledgeable could have a look and see whether the tests can be fixed or should be disabled. Here is the error message: running build_ext usage: -c [-h] [--targetId TARGETID] [--rootPrivateKey ROOTPRIVATEKEY] [--apdu] [--deployLegacy] -c: error: unrecognized arguments: test error: in phase 'check': uncaught exception: %exception #< program: "python" arguments: ("-c" "import setuptools, tokenize;__file__='setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\\r\\n', '\\n');f.close();exec(compile(code, __file__, 'exec'))" "test") exit-status: 2 term-signal: #f stop-signal: #f> phase `check' failed after 1.2 seconds command "python" "-c" "import setuptools, tokenize;__file__='setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\\r\\n', '\\n');f.close();exec(compile(code, __file__, 'exec'))" "test" failed with status 2 builder for `/gnu/store/9kfks35xhr6abgkmpmy0la2m2nrwg6i1-python-ledgerblue-0.1.44.drv' failed with exit code 1 build of /gnu/store/9kfks35xhr6abgkmpmy0la2m2nrwg6i1-python-ledgerblue-0.1.44.drv failed Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 12:57:07PM +0100 schrieb Andreas Enge: > > which seems to be the only change in attrdict3, see > > https://github.com/pirofti/AttrDict3/commit/f6678b627b469c9aeddca2a9e4ba4e1ee9e3ccbb > Great, I will replace the package then. Done. Interestingly enough, there was only one dependent: python-wxpython; which has three dependents, of which python-matplotlib, and from there it propagates everywhere... Andreas
Re: Python (was: Merging core-updates?)
Hi, > Except that we have to decide what to do about its dependents... upgrade or drop if not possible. pycryptodome does not provide an entirely compatible interface (see https://www.pycryptodome.org/src/vs_pycrypto), so we cannot simply switch existing packages from pycrypto to pycryptdome without manual testing and (possibly) patching. eolie upstream looks dead, same with jrnl. The rest seems to be alive without any references to python-pycrypto. So these should be upgradable and then we can drop python-pycrypto. Lars
Re: Python (was: Merging core-updates?)
> but it is somehow in the same git repository as trezor-agent, > and I do not totally understand how these are related. Taking > back my rant and acknowledging my ignorance. weirdly enough, upstream uses one git repo for multiple projects, and uses prefixed tag names for them. FYI, there's this long-pending patchset to update the trezor-agent (something i can test myself): https://issues.guix.gnu.org/58437#4 it's been pending so long, maybe it should be updated again. -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “Hurt people hurt people. That's how pain patterns gets passed on, generation after generation after generation. Break the chain today. Meet anger with sympathy, contempt with compassion, cruelty with kindness. Greet grimaces with smiles. Forgive and forget about finding fault. Love is the weapon of the future.” — Yehuda Berg
Re: Python (was: Merging core-updates?)
Hello Lars, thanks for having a look! Am Sun, Feb 19, 2023 at 12:47:46PM +0100 schrieb Lars-Dominik Braun: > > command "python" "-m" "compileall" "--invalidation-mode=unchecked-hash" > > "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1" failed > > with status 1 > this particular line looks different with Python 3.9, since the package > is built with an automated Python 2 to Python 3 converter, which does > not seems to work correctly on 3.10 (build_py_2to3 in setup.py). Not > sure why though. Given the warning on their homepage it’s probably > safe to drop the package. Except that we have to decide what to do about its dependents... > > from collections import Mapping > > ImportError: cannot import name 'Mapping' from 'collections' > > (/gnu/store/blals34ar25fiifvm17m2b504waxzys0-python-3.10.7/lib/python3.10/collections/__init__.py) > This is trivial to fix and should be > from collections.abc import Mapping > which seems to be the only change in attrdict3, see > https://github.com/pirofti/AttrDict3/commit/f6678b627b469c9aeddca2a9e4ba4e1ee9e3ccbb Great, I will replace the package then. Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 12:02:15PM +0100 schrieb Andreas Enge: >Then we have: > Building the following 6 packages would ensure 9 dependent packages are > rebuilt: python-miio@0.5.11 ledger-agent@0.9.0 electrum@4.3.2 eolie@0.9.101 > jrnl@1.9.7 poezio@0.13.2 Concerning poezio, it depends on python-potr (and is its only dependent), which in turn depends on python-pycrypto. Concerning python-potr, I am a bit at a loss. There is https://github.com/python-otr/pure-python-otr with their latest release 1.0.2 in 2018 and a big bold comment "This software is experimental and potentially insecure. Do not rely on it". Pypi has this: https://pypi.org/project/python-otr/ which I suppose is a different project. Would it make sense to remove python-potr and poezio? I am not confident with crypto libraries that call themselves insecure... Andreas
Re: Python (was: Merging core-updates?)
Hi Andreas, > *** File > "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1/lib/python3.10/site-packages/Crypto/Util/number.py", > line 139 > value |= 2L ** (N-1)# Ensure high bit is set > ^ > SyntaxError: invalid decimal literal > error: in phase 'install': uncaught exception: > %exception #< program: "python" arguments: ("-m" "compileall" > "--invalidation-mode=unchecked-hash" > "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1") > exit-status: 1 term-signal: #f stop-signal: #f> > phase `install' failed after 0.5 seconds > command "python" "-m" "compileall" "--invalidation-mode=unchecked-hash" > "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1" failed > with status 1 this particular line looks different with Python 3.9, since the package is built with an automated Python 2 to Python 3 converter, which does not seems to work correctly on 3.10 (build_py_2to3 in setup.py). Not sure why though. Given the warning on their homepage it’s probably safe to drop the package. > from collections import Mapping > ImportError: cannot import name 'Mapping' from 'collections' > (/gnu/store/blals34ar25fiifvm17m2b504waxzys0-python-3.10.7/lib/python3.10/collections/__init__.py) This is trivial to fix and should be from collections.abc import Mapping which seems to be the only change in attrdict3, see https://github.com/pirofti/AttrDict3/commit/f6678b627b469c9aeddca2a9e4ba4e1ee9e3ccbb Cheers, Lars
Re: Python (was: Merging core-updates?)
And another one: python-ecdsa I tried to update it from 0.17.0 to 0.18.0, but it still fails its tests with this message: src/ecdsa/test_jacobi.py:393: TypeError === warnings summary === src/ecdsa/test_der.py::TestEncodeBitstring::test_implicit_unused_bits src/ecdsa/test_der.py::TestEncodeBitstring::test_new_call_convention src/ecdsa/test_der.py::TestRemoveBitstring::test_implicit_unexpected_unused src/ecdsa/test_der.py::TestRemoveBitstring::test_new_call_convention /gnu/store/blals34ar25fiifvm17m2b504waxzys0-python-3.10.7/lib/python3.10/unittest/case.py:549: PytestRemovedIn8Warning: Passing None has been deprecated. See https://docs.pytest.org/en/latest/how-to/capture-warnings.html#additional-use-cases-of-warnings-in-tests for alternatives in common use cases. method() Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 12:15:59PM +0100 schrieb Andreas Enge: > I am looking at these packages. One of them, ledger-agent, dates from 2017 > and has seen 25 releases in the meantime. Well, maybe, maybe not. The version in Pypi has not changed, but it is somehow in the same git repository as trezor-agent, and I do not totally understand how these are related. Taking back my rant and acknowledging my ignorance. Andreas
Re: Python (was: Merging core-updates?)
Am Sun, Feb 19, 2023 at 12:02:15PM +0100 schrieb Andreas Enge: > PPS: On the first issue, the homepage says: >PyCrypto 2.x is unmaintained, obsolete, and contains security > vulnerabilities. > Building the following 6 packages would ensure 9 dependent packages are > rebuilt: python-miio@0.5.11 ledger-agent@0.9.0 electrum@4.3.2 eolie@0.9.101 > jrnl@1.9.7 poezio@0.13.2 I am looking at these packages. One of them, ledger-agent, dates from 2017 and has seen 25 releases in the meantime. I can of course try to update it (in main? core-updates?), but I am also wondering whether we have a deprecation policy. This feels like a package nobody is interested in, and it is demotivating to spend time fixing it... (Well, it is entirely possible that flocks of users are still clinging on to a perfectly working old version, but well!) Andreas
Python (was: Merging core-updates?)
Hello, I am having problems with at least two python packages in core-updates: *** File "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1/lib/python3.10/site-packages/Crypto/Util/number.py", line 139 value |= 2L ** (N-1)# Ensure high bit is set ^ SyntaxError: invalid decimal literal error: in phase 'install': uncaught exception: %exception #< program: "python" arguments: ("-m" "compileall" "--invalidation-mode=unchecked-hash" "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1") exit-status: 1 term-signal: #f stop-signal: #f> phase `install' failed after 0.5 seconds command "python" "-m" "compileall" "--invalidation-mode=unchecked-hash" "/gnu/store/5i3yqwaqd8mayl2vr9lmrihxwv8203b1-python-pycrypto-2.6.1" failed with status 1 starting phase `sanity-check' validating 'attrdict' /gnu/store/lvy1fmmf1dsr3fjw82zal2aaisf3d47k-python-attrdict-2.0.1/lib/python3.10/site-pac kages ...checking requirements: OK ...trying to load module attrdict: ERROR: Traceback (most recent call last): File "/gnu/store/35ix1m6m8a5s21j02ajhdyqxb2xkshfb-sanity-check.py", line 69, in importlib.import_module(name) File "/gnu/store/blals34ar25fiifvm17m2b504waxzys0-python-3.10.7/lib/python3.10/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/gnu/store/lvy1fmmf1dsr3fjw82zal2aaisf3d47k-python-attrdict-2.0.1/lib/python3.10/site-packages/attrdict/__init__.py", line 5, in from attrdict.mapping import AttrMap File "/gnu/store/lvy1fmmf1dsr3fjw82zal2aaisf3d47k-python-attrdict-2.0.1/lib/python3.10/site-packages/attrdict/mapping.py", line 4, in from collections import Mapping ImportError: cannot import name 'Mapping' from 'collections' (/gnu/store/blals34ar25fiifvm17m2b504waxzys0-python-3.10.7/lib/python3.10/collections/__init__.py) error: in phase 'sanity-check': uncaught exception: %exception #< program: "python" arguments: ("/gnu/store/35ix1m6m8a5s21j02ajhdyqxb2xkshfb-sanity-check.py" "/gnu/store/lvy1fmmf1dsr3fjw82zal2aaisf3d47k-python-attrdict-2.0.1/lib/python3.10/site-packages") exit-status: 1 term-signal: #f stop-signal: #f> phase `sanity-check' failed after 0.2 seconds command "python" "/gnu/store/35ix1m6m8a5s21j02ajhdyqxb2xkshfb-sanity-check.py" "/gnu/store/lvy1fmmf1dsr3fjw82zal2aaisf3d47k-python-attrdict-2.0.1/lib/python3.10/site-packages" failed with status 1 for python-attrdict. Both are at their latest version from Pypi. Have there been some incompatible changes in Python 3.10? Should we revert the Python update or try to backport patches? (I have no idea about Python, and probably need it only for calibre.) Andreas PS: On the second issue: The latest commit is this: v2.0.1 2019/02/01 -- Haven't used or looked at this in years so updating tests to the current version of python and then marking it inactive. This would rather make me thing we should drop it, but here we go: Building the following 160 packages would ensure 366 dependent packages are rebuilt: kicad@6.0.10 ... There is something called attrdict3: https://pypi.org/project/attrdict3/ at the same version +0.0.1; maybe we should use this? PPS: On the first issue, the homepage says: PyCrypto 2.x is unmaintained, obsolete, and contains security vulnerabilities. Please choose one of the following alternatives: Cryptography Recommended for new applications. Newer API with fewer gotchas. API docs GitHub PyPI PyCryptodome Recommended for existing software that depends on PyCrypto. Fork of PyCrypto. Most applications should run unmodified. API docs GitHub PyPI Then we have: Building the following 6 packages would ensure 9 dependent packages are rebuilt: python-miio@0.5.11 ledger-agent@0.9.0 electrum@4.3.2 eolie@0.9.101 jrnl@1.9.7 poezio@0.13.2 We already have python-pycryptodome and python-pycryptodomex. Maybe we should try rebuilding the 9 dependent packages with one of them? Do the specialists have a preference as to which one to use? Both have a similar number of dependents currently.