Summary: | dev-python/twisted-8.2.0 with python-2.6 gives 'DeprecationWarning' for modules 'md5' and 'sha' | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | rinus <remspoor> |
Component: | Current packages | Assignee: | Python Gentoo Team <python> |
Status: | RESOLVED UPSTREAM | ||
Severity: | normal | CC: | djc, gentoobugs, m_zwart |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 230205 |
Description
rinus
2009-05-05 17:08:32 UTC
*** Bug 270400 has been marked as a duplicate of this bug. *** Looks like this should be fixed in twisted-8.2.0-r1. Can you verify? (In reply to comment #2) > Looks like this should be fixed in twisted-8.2.0-r1. Can you verify? > I emerged twisted-8.2.0-r1, twisted-web-8.2.0 and hellanzb-0.13-r7 and still get the deprecated messages. /usr/lib/python2.6/site-packages/twisted/internet/_sslverify.py:5: DeprecationWarning: the md5 module is deprecated; use hashlib instead import itertools, md5 Confirmed all around here. The hellanzb patch led me here. Still get the md5 deprecation warning on: /usr/lib64/python2.6/site-packages/twisted/internet/_sslverify.py with twisted-8.2.0-r1 While fixing this would be nice, the patch that was committed is terrible and really needs to be either fixed or removed. Here's what's wrong with it: - As mentioned on this bug it does not actually fix the problem. It removes one import of the "md5" module and one import of the "sha" module, but leaves many more of them in place, including one in the _sslverify module which is almost always hit (t.i.ssl imports it, t.i.posixbase imports that, and most reactors are built on top of posixbase). And there are probably others that are frequently hit, I did not do a thorough search. Although I wonder why you picked these two imports to "fix"... - The second of the two hunks introduces a bug. There are many ways to find out: - You could read the patch, and if you understand basic python syntax you would understand replacing "import sha" with "from hashlib import sha1" can never be correct: either the new import must also be called "sha", or the original import was unused and should have been removed. No knowledge of the python stdlib or twisted's code is necessary. - You could test the affected code by hand: calling twisted.python.filepath._secureEnoughString directly now unsurprisingly raises a NameError. Testing it using public methods is slightly more work but not rocket science either: "filepath.FilePath('/tmp').temporarySibling()" suffices. Or use moveTo across partitions if you prefer. - You could test the code by running the test suite. Obviously the test suite was run before committing, since the commit message was "Fixed test failures wrt bug #190433. Changed to EAPI 2. Added patches for py26 deprecations". But apparently not *immediately* before committing, since four or so tests in twisted.test.test_paths.FilePathTestCase now fail. - The first of the two hunks also introduces a bug. This is a more subtle one: you cannot find out by just reading the patch itself, unless you happen to know something about the stdlib modules involved (md5 and hashlib). Of course both testing the affected code by hand and running twisted's test suite still catch it: "AttributeError: 'builtin_function_or_method' object has no attribute 'new'". The bug is that while the hashlib module replaces the md5 and sha modules the hashlib.md5 *function* does not replace the md5 *module*. Skimming the documentation for both modules or reading http://docs.python.org/whatsnew/2.5.html#the-hashlib-package would have told you that hashlib.md5 replaces md5.new. Notice the same thing is true for sha: hashlib.sha replaces sha1.new, not the sha module. Please revert this patch, since both hunks introduce errors while only fixing warnings, and the warnings are still triggered elsewhere. Please at least skim the hashlib, md5 and sha module documentation before attempting to get rid of the DeprecationWarnings again (getting rid of them is still a good idea! There are some cases where getting them is annoying, like when twisted is used through a cron script, with any stderr output mailed). Just picking likely looking names in the hashlib module when you're told "use hashlib instead" in the DeprecationWarning does not suffice, unfortunately. Also note that while I keep mentioning tests above this does break "real" code too: dev-python/axiom uses temporarySibling when creating a new store. Axiom can only run on existing stores unless this patch is removed or fixed. (In reply to comment #5) > While fixing this would be nice, the patch that was committed is terrible and > really needs to be either fixed or removed. I agree :) . I removed this patch. Deprecation warnings are harmless, so we will wait for next release. |