821706 – app-misc/ca-certificates-20211016.3.72: needs dev-python/cryptography if not precompiled (ModuleNotFoundError: No module named 'cryptography')

Bug 821706 - app-misc/ca-certificates-20211016.3.72: needs dev-python/cryptography if not precompiled (ModuleNotFoundError: No module named 'cryptography')

Summary: app-misc/ca-certificates-20211016.3.72: needs dev-python/cryptography if not ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-04 18:54 UTC by HougeLangley
Modified:	2022-06-17 01:47 UTC (History)
CC List:	5 users (show)

See Also:	827354
Package list:
Runtime testing required:	---

Attachments
emerge --info (emerge --info,5.48 KB, text/plain) 2021-11-04 18:55 UTC, HougeLangley	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description HougeLangley 2021-11-04 18:54:00 UTC

houge@Gentoo-Musl ~ $ doas cat /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/temp/build.log
doas (houge@Gentoo-Musl) password:
 * Package:    app-misc/ca-certificates-20211016.3.72
 * Repository: gentoo
 * Maintainer: base-system@gentoo.org
 * USE:        abi_x86_64 amd64 elibc_musl kernel_linux userland_GNU
 * FEATURES:   network-sandbox preserve-libs sandbox userpriv usersandbox
>>> Unpacking source...
>>> Unpacking ca-certificates_20211016.tar.xz to /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work
>>> Unpacking nss-3.72.tar.gz to /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work
>>> Source unpacked in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work
>>> Preparing source in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work ...
 * Applying ca-certificates-20150426-root.patch ...
 [ ok ]
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work ...
 * Using python3.10 to build
make -j40 -C /var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla
make: Entering directory '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla'
python3 certdata2pem.py
Traceback (most recent call last):
  File "/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla/certdata2pem.py", line 31, in <module>
    from cryptography import x509
ModuleNotFoundError: No module named 'cryptography'
make: *** [Makefile:6: all] Error 1
make: Leaving directory '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/ca-certificates-20211016/mozilla'
 * ERROR: app-misc/ca-certificates-20211016.3.72::gentoo failed (compile phase):
 *   emake failed
 *
 * If you need support, post the output of `emerge --info '=app-misc/ca-certificates-20211016.3.72::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=app-misc/ca-certificates-20211016.3.72::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/temp/environment'.
 * Working directory: '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work/image'
 * S: '/var/tmp/portage/app-misc/ca-certificates-20211016.3.72/work'

Reproducible: Always

Comment 1 HougeLangley 2021-11-04 18:55:01 UTC

Created attachment 748653 [details]
emerge --info

Comment 2 Larry the Git Cow gentoo-dev

2021-11-04 19:07:57 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f7c9880325c44bde2b3ffbc54f5e5c865a526709

commit f7c9880325c44bde2b3ffbc54f5e5c865a526709
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-04 19:07:38 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-04 19:07:38 +0000

    app-misc/ca-certificates: fix Python dependencies
    
    Closes: https://bugs.gentoo.org/821706
    Signed-off-by: Sam James <sam@gentoo.org>

 .../ca-certificates/ca-certificates-20211016.3.72.ebuild     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Comment 3 Sam James archtester

2021-11-04 19:27:08 UTC

So, the dependency is fixed, but dev-python/cryptography will soon (not yet) need Rust (bug 769482).

What do we do then? Always ship precompiled ca-certs?

Comment 4 Alex Xu (Hello71) 2021-11-05 19:08:20 UTC

imo just patch it out. the only practical effect is adding three lines about expired dst root which only affects openssl 1.0.2 in a log which basically no gentoo users will read.

--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -28,8 +28,6 @@
 import textwrap
 import io

-from cryptography import x509
-

 objects = []

@@ -122,12 +120,6 @@
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue

-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-        if cert.not_valid_after < datetime.datetime.now():
-            print('!'*74)
-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
-            print('!'*74)
-
         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\

WFM with this patch.

Comment 5 Michał Górny archtester

2021-11-05 19:25:30 UTC

You could also catch ImportError and make the code gracefully handle missing cryptography.

Comment 6 Alex Xu (Hello71) 2021-11-14 01:43:01 UTC

(In reply to Michał Górny from comment #5)
> You could also catch ImportError and make the code gracefully handle missing
> cryptography.

ok either way with me. i leave it up to base-system@.

Comment 7 Sam James archtester

2021-11-26 07:41:18 UTC

The original issue is fixed, so let's use the other bug: bug 827354.