Bug 1802998

Summary: Make pycryptodomex and ecdsa weak dependencies of python-dns
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: python-dnsAssignee: Paul Wouters <pwouters>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: aviso, lbalhar, louiz, pspacek, pwouters, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1821836 (view as bug list) Environment:
Last Closed: 2020-06-24 05:22:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1821836, 1824036    

Description Christian Heimes 2020-02-14 09:54:22 UTC 
Description of problem:
Build 1.16.0-5 changed python-dns' dependencies from python-crypto to python-pycryptodomex and added python-ecdsa. I noticed the change because it suddenly increased the installation size of FreeIPA by 30 MB (see #1802989).

Both crypto libraries are only required for an optional features of dnspython: to verify DNSSEC signatures. The rest of dns.dnssec and dnspython doesn't need these libraries. There are also security concerns with both crypto libraries. For example the author and the current maintainer of ecdsa recommend against using the library for anything security related (see https://pypi.org/project/ecdsa/).

Could you please make the dependencies "Recommended" instead of "Required"? That would allow FreeIPA to not install the packages. FreeIPA doesn't use the DNSSEC signature verification code.

Version-Release number of selected component (if applicable):
python3-dns-1.16.0-7.fc31

How reproducible:
Always

Steps to Reproduce:
1. dnf install --setopt=install_weak_deps=False python3-dns

Actual results:
Installs python3-pycryptodomex python3-ecdsa

Expected results:
With --setopt=install_weak_deps=False dnf should not install weak dependencies.

Additional info:
Comment 1 Simo Sorce 2020-04-07 17:27:13 UTC 
Paul,
both python-ecdsa and python-pycryptodomex(libtomcrypt) are pretty horrible dependencies to have in general.
If you can convince upstream to move to python-cryptography(openssl) it would be much welcome.

Especially python-ecdsa SHOULD NOT be used, it is trivial to attack and extract private keys when it is in use.
Comment 2 Simo Sorce 2020-04-08 17:01:02 UTC 
https://github.com/rthalley/dnspython/pull/449 was pushed, we should probably backport this to Fedora/RHEL/CentOS, and finally get rid of those bad deps
Comment 3 Petr Špaček 2020-04-09 15:43:52 UTC 
FYI upstream is not going to do any new release for Python 2 so you are probably left with backports. Also dnspython 2.0 is going to be Python 3 only and likely introduce breaking changes to the API.
Comment 4 Simo Sorce 2020-04-09 19:58:49 UTC 
If you need backports, but do not have time to handle it, please give me a git tree that reflects the current code to backport to and I will provide you a working patch.

That said do we care for python2 at all in Fedora?
Comment 5 Fedora Update System 2020-04-16 17:13:12 UTC 
FEDORA-2020-aaaa504a87 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aaaa504a87
Comment 6 Fedora Update System 2020-04-16 19:29:49 UTC 
FEDORA-2020-aaaa504a87 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aaaa504a87`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aaaa504a87

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Lumír Balhar 2020-06-24 05:22:54 UTC 
This has been done in https://bodhi.fedoraproject.org/updates/FEDORA-2020-4e12b426c8