summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKai Knoblich <kai@FreeBSD.org>2019-11-26 18:37:58 +0000
committerKai Knoblich <kai@FreeBSD.org>2019-11-26 18:37:58 +0000
commitcd672417a043a2500385dd4ba8557aba03c8eb0b (patch)
tree205174eafc30fa895eae6bfc8fc23f42d99911c4
parentUpdate to 2.13.0 (diff)
net/py-urllib3: Update to 1.25.6
* Convert the RUN_DEPENDS into separate OPTIONS as they are listed as extra dependencies in setup.py. Also set those as default that contain the previous RUN_DEPENDS to allow a clean transition. * Remove the Python-specific version limitation for security/py-certifi because it's required for all Python versions. * Also remove the info about the broken IPv6 support of net/py-socks (was broken in 1.5.7) and the relevant patch as both are obsolete. * Update the TEST_DEPENDS and add a "do-test" target to make future QA easier. Please note that a MFH won't be done as it didn't get an approval because there are too much changes to make it work in the 2019Q4 branch. [1] Notable changes since 1.22: * Require and validate certificates by default when using HTTPS. * Add mitigation for BPO-37428 affecting Python < 3.7.4 and OpenSSL 1.1.1+ which caused certificate verification to be enabled when using "cert_reqs=CERT_NONE". * Add TLSv1.3 support to CPython, pyOpenSSL and SecureTransport "SSLContext" implementations. https://github.com/urllib3/urllib3/blob/1.25.6/CHANGES.rst Exp-run by: antoine PR: 229322 [1] Reported by: Patrice Clement <monsieurp@gentoo.org> Security: 87270ba5-03d3-11ea-b81f-3085a9a95629
Notes
Notes: svn path=/head/; revision=518476
-rw-r--r--UPDATING22
-rw-r--r--net/py-urllib3/Makefile33
-rw-r--r--net/py-urllib3/distinfo6
-rw-r--r--net/py-urllib3/files/patch-setup.py11
-rw-r--r--net/py-urllib3/files/pkg-message.in18
5 files changed, 60 insertions, 30 deletions
diff --git a/UPDATING b/UPDATING
index a06b927b1bfe..483d9e7d1ef2 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,28 @@ they are unavoidable.
You should get into the habit of checking this file for changes each time
you update your ports collection, before attempting any port upgrades.
+20191126:
+ AFFECTS: consumers of net/py-urllib3
+ AUTHOR: kai@FreeBSD.org
+
+ Since version 1.25 HTTPS connections are now verified by default which is
+ done via "cert_reqs = 'CERT_REQUIRED'". While certificate verification
+ can be disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to
+ leave it on.
+
+ Various consumers of net/py-urllib3 already have implemented routines that
+ either explicitly enable or disable HTTPS certificate verification (e.g.
+ via configuration settings, CLI arguments, etc.).
+
+ Yet it may happen that there are still some consumers which don't
+ explicitly enable/disable certificate verification for HTTPS connections
+ which could then lead to errors (as is often the case with self-signed
+ certificates).
+
+ In case of an error one should try first to temporarily disable
+ certificate verification of the problematic urllib3 consumer to see if
+ this approach will remedy the issue.
+
20191125:
AFFECTS: users of emulators/qemu
AUTHOR: bofh@FreeBSD.org
diff --git a/net/py-urllib3/Makefile b/net/py-urllib3/Makefile
index efc9a7282dbb..89f0ddbcebd3 100644
--- a/net/py-urllib3/Makefile
+++ b/net/py-urllib3/Makefile
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= urllib3
-PORTVERSION= 1.22
+PORTVERSION= 1.25.6
PORTEPOCH= 1
CATEGORIES= net python
MASTER_SITES= CHEESESHOP
@@ -14,25 +14,30 @@ COMMENT= HTTP library with thread-safe connection pooling, file post, and more
LICENSE= MIT
LICENSE_FILE= ${WRKSRC}/LICENSE.txt
-RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \
- ${PY_IPADDRESS} \
- ${PYTHON_PKGNAMEPREFIX}openssl>=16.0:security/py-openssl@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.7:net/py-pysocks@${PY_FLAVOR}
TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}mock>=0:devel/py-mock@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}nose>=0:devel/py-nose@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR}
-#TEST_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR}
+ ${PYTHON_PKGNAMEPREFIX}pytest>=0:devel/py-pytest@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}tornado>=0:www/py-tornado@${PY_FLAVOR}
USES= python
USE_PYTHON= autoplist concurrent distutils
+
NO_ARCH= yes
SUB_FILES= pkg-message
-.include <bsd.port.pre.mk>
+OPTIONS_DEFINE= BROTLI SOCKS SSL
+OPTIONS_DEFAULT=SOCKS SSL
+
+BROTLI_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}brotlipy>=0.6.0:archivers/py-brotlipy@${PY_FLAVOR}
+SOCKS_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}pysocks>=1.5.6:net/py-pysocks@${PY_FLAVOR}
+SSL_RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}idna>=2.0:dns/py-idna@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}cryptography>=1.3.4:security/py-cryptography@${PY_FLAVOR} \
+ ${PYTHON_PKGNAMEPREFIX}openssl>=0.14:security/py-openssl@${PY_FLAVOR} \
+ ${PY_IPADDRESS}
-.if ${PYTHON_REL} < 3400
-RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}certifi>=0:security/py-certifi@${PY_FLAVOR}
-.endif
+# Test 'test_ssl_read_timeout' fails with FreeBSD >= 12.0. That was already the
+# case with earlier versions of net/py-urllib3.
+do-test:
+ @cd ${WRKSRC} && ${SETENV} LC_ALL=en_US.UTF-8 ${PYTHON_CMD} -m pytest -v -rs -k 'not test_ssl_read_timeout'
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/net/py-urllib3/distinfo b/net/py-urllib3/distinfo
index 7846d2109f69..ac8c85648d74 100644
--- a/net/py-urllib3/distinfo
+++ b/net/py-urllib3/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1500642203
-SHA256 (urllib3-1.22.tar.gz) = cc44da8e1145637334317feebd728bd869a35285b93cbb4cca2577da7e62db4f
-SIZE (urllib3-1.22.tar.gz) = 226083
+TIMESTAMP = 1574013088
+SHA256 (urllib3-1.25.6.tar.gz) = 9a107b99a5393caf59c7aa3c1249c16e6879447533d0887f4336dde834c7be86
+SIZE (urllib3-1.25.6.tar.gz) = 248292
diff --git a/net/py-urllib3/files/patch-setup.py b/net/py-urllib3/files/patch-setup.py
deleted file mode 100644
index eff6df0398d2..000000000000
--- a/net/py-urllib3/files/patch-setup.py
+++ /dev/null
@@ -1,11 +0,0 @@
---- setup.py.orig 2016-09-06 14:39:59 UTC
-+++ setup.py
-@@ -61,7 +61,7 @@ setup(name='urllib3',
- 'certifi',
- ],
- 'socks': [
-- 'PySocks>=1.5.6,<2.0,!=1.5.7',
-+ 'PySocks>=1.5.6',
- ]
- },
- )
diff --git a/net/py-urllib3/files/pkg-message.in b/net/py-urllib3/files/pkg-message.in
index 4a619c6a094d..4aa5b9e1f1d9 100644
--- a/net/py-urllib3/files/pkg-message.in
+++ b/net/py-urllib3/files/pkg-message.in
@@ -1,7 +1,21 @@
[
-{ type: install
+{
message: <<EOM
-Be careful, support of IPv6 is broken with PySocks 1.5.7.
+Since version 1.25 HTTPS connections are now verified by default which is done
+via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
+disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
+
+Various consumers of net/py-urllib3 already have implemented routines that
+either explicitly enable or disable HTTPS certificate verification (e.g. via
+configuration settings, CLI arguments, etc.).
+
+Yet it may happen that there are still some consumers which don't explicitly
+enable/disable certificate verification for HTTPS connections which could then
+lead to errors (as is often the case with self-signed certificates).
+
+In case of an error one should try first to temporarily disable certificate
+verification of the problematic urllib3 consumer to see if that approach will
+remedy the issue.
EOM
}
]