Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 611600 - dev-python/keyczar: support dev-python/pycryptodome
Summary: dev-python/keyczar: support dev-python/pycryptodome
Status: IN_PROGRESS
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Python Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: pycryptodome-tracker
  Show dependency tree
 
Reported: 2017-03-03 23:15 UTC by Michał Górny
Modified: 2017-12-25 01:44 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Remove keyczar support; migrate from pycrypto to pycryptodome. (keyrings-remove-keyczar-pycryptodome.patch,5.91 KB, patch)
2017-12-25 01:44 UTC, Daniel Robbins
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-03-03 23:15:55 UTC
See tracker.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-03-27 15:49:25 UTC
  File "/usr/lib64/python2.7/site-packages/Crypto/PublicKey/RSA.py", line 393, in decrypt
    raise NotImplementedError("Use module Crypto.Cipher.PKCS1_OAEP instead")
NotImplementedError: Use module Crypto.Cipher.PKCS1_OAEP instead
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-03-27 16:01:10 UTC
Do we want to keep this package? It seems barely maintained upstream, with a lot of open bugs and an official list of security issues with the design [1]. AFAICS it's only an optional dependency of app-admin/ansible (CC-ing its maintainers).

Depending on how important keyczar is to ansible, I'd say we should either lastrite it, or pass maintenance over to ansible maintainers.

[1]:https://github.com/google/keyczar#known-security-issues
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-03-27 18:22:20 UTC
I'm fine with removing support of keyczar from ansible.  Pipelining should be used now.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-03-27 18:55:19 UTC
But does removing it break anything for users, or does it switch transparently?
Comment 5 Daniel Robbins 2017-12-23 00:08:13 UTC
While the upstream sources still reference pycrypto, the sources appear to be fully compatible with pycryptodome. Simply updating ebuild dependencies to reference pycryptodome should be sufficient. Also note that this package will find and prefer m2crypto if installed, in which case it will not use pycrypto(dome) at all.
Comment 6 Daniel Robbins 2017-12-23 00:10:11 UTC
OK, missed mgorny's comment -- and it looks like it may need a patch for pycryptodome :/ -- working on it...
Comment 7 Daniel Robbins 2017-12-23 00:39:08 UTC
OK, the code makes extensive use of one of the design patterns in pycrypto that was deprecated in pycryptodome -- the use of .encrypt() and .decrypt() methods. It is possible to get the code working with pycryptodome but would require a significant amount of work. It may be best to deprecate this ebuild as it seems to have some security issues in its general design, so things should be migrating away from it anyway.
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-12-23 06:18:00 UTC
dev-python/wheel needs keyrings_alt which needs keyczar
Comment 9 Daniel Robbins 2017-12-25 01:12:25 UTC
Think of this as an amputation for security reasons and a unwavering commitment to the health of the portage tree. Let's figure out what limb to remove. keyrings_alt simply looks like it offers alternate storage backends for keyring. In theory it should be safe to remove keyczar support from keyrings_alt and not impact wheel. I will research further as it would be lovely to remove keyczar.
Comment 10 Daniel Robbins 2017-12-25 01:17:40 UTC
OK, as I suspected, support for keyczar in keyrings.alt is just one of its modules. I'll develop a patch for keyrings.alt to remove the keyczar dependency and it looks like keyrings.alt has a hidden dependency on pycrypto as well (at least according to one of its open github issues) so I'll investigate that as well and see if I can address it.
Comment 11 Daniel Robbins 2017-12-25 01:44:03 UTC
Created attachment 511580 [details, diff]
Remove keyczar support; migrate from pycrypto to pycryptodome.

Attached is a patch which removes keyczar support, migrates keyrings.alt from pycrypto to pycryptodome. Applies against GitHub master https://github.com/jaraco/keyrings.alt 2702f9159502fc784815c50e03002991b6745f19