Bug 1229409 - ssl_match_hostname is no longer needed since Python 2.7.9
Summary: ssl_match_hostname is no longer needed since Python 2.7.9
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: python-backports-ssl_match_hostname
Version: 24
Hardware: Unspecified
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Fedora Infrastructure SIG
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1231325 1231368 1231381 1231668 1232346 1399804
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-08 16:11 UTC by Carl George
Modified: 2017-07-25 19:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-25 19:02:39 UTC
Type: Bug


Attachments (Terms of Use)

Description Carl George 2015-06-08 16:11:09 UTC
Description of problem:
The package python-backports-ssl_match_hostname is no longer needed.  The code from this backport has been fully merged into the standard library in Python 2.7.9.

> The entirety of Python 3.4's ssl module has been backported for Python 2.7.9. See PEP 466 for justification.

* https://www.python.org/downloads/release/python-279/
* https://www.python.org/dev/peps/pep-0466/

Version-Release number of selected component (if applicable):
python-backports-ssl_match_hostname-3.4.0.2-4.fc22.noarch

How reproducible:
always

Steps to Reproduce:
1. grep -A7 'def match_hostname' /usr/lib/python2.7/site-packages/backports/ssl_match_hostname/__init__.py
2. grep -A7 'def match_hostname' /usr/lib64/python2.7/ssl.py

Actual results:
code is duplicated

Expected results:
don't duplicate this functionality in a separate module

Additional info:
Here is how we went about fixing it in the IUS Community project.
https://github.com/iuscommunity-pkg/python27-backports-ssl_match_hostname/issues/1

Comment 1 Tomas Hoger 2015-06-12 12:07:12 UTC
There are other packages that require python-backports-ssl_match_hostname today.  Some modules use backports.ssl_match_hostname only as fallback, i.e. they do:

  try:
      # python3.2+
      from ssl import match_hostname
  except ImportError:
      from backports.ssl_match_hostname import match_hostname

but other use it unconditionally:

  from backports.ssl_match_hostname import match_hostname

All those will need to get fixed before python-backports-ssl_match_hostname is dropped form the distribution, or python-backports-ssl_match_hostname can be changed to be a wrapper around system ssl module function.

Comment 2 Carl George 2015-06-12 14:24:32 UTC
Agreed.  For IUS we were lucky in that setuptools was the only module we packaged that depended on the backport, and they already had the necessary try statement in their code for PY2/PY3 compatibility [1].  I'm curious how many modules are out there that are hard-coded to use just backports.ssl_match_hostname.  It seems like something that should be fixed regards to help with eventual PY3 support.

[1] https://bitbucket.org/pypa/setuptools/commits/239773b54fe286e1cf048634c89102490718b820

Comment 3 Tomas Hoger 2015-06-12 14:42:06 UTC
(In reply to Carl George from comment #2)
> I'm curious how many modules are out there that are hard-coded to use just
> backports.ssl_match_hostname.

I noticed that in IPA:

https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/otptoken.py?id=9b706e74#n28

and also setuptools and tornado in RHEL-7 (these are not upstream issues I believe), so I assumed there may be more.

Comment 4 Carl George 2015-06-12 16:28:54 UTC
Here is a list of all packages in F22 with an explicit package dependency on the backport.

* freeipa-client-0:4.1.4-4.fc22.x86_64
* python-setuptools-0:12.0.3-1.fc22.noarch
* python-tornado-0:3.2.2-1.fc22.x86_64
* python-urllib3-0:1.10.4-2.20150503gita91975b.fc22.noarch
* transifex-client-0:0.10-3.fc21.noarch
* willie-0:4.5.0-1.fc22.noarch

These ones appear fine at first glance to just outright remove the dependency in the rpm spec file, base on try/except statements or hasattr checks.

* python-setuptools-0:12.0.3-1.fc22.noarch
  https://bitbucket.org/pypa/setuptools/src/bf8c5bcacd49bf0f9648013a40ebfc8f7c727f7b/setuptools/ssl_support.py?at=12.0.3#cl-45

* python-tornado-0:3.2.2-1.fc22.x86_64
  https://github.com/tornadoweb/tornado/blob/v3.2.2/tornado/netutil.py#L32-L38

* python-urllib3-0:1.10.4-2.20150503gita91975b.fc22.noarch
  https://github.com/shazow/urllib3/blob/1.10.4/urllib3/packages/ssl_match_hostname/__init__.py#L1-L10

* willie-0:4.5.0-1.fc22.noarch
  https://github.com/embolalia/willie/blob/4.5.0/willie/web.py#L33-L40
  https://github.com/embolalia/willie/blob/4.5.0/willie/irc.py#L29-L41

I saw the same thing as you with freeipa-client, it will need to get smarter before the dependency can get dropped.

The last one is transifex-client, and it's kinda weird. It looks like it is being patched to use the system backports.ssl_match_hostname, in which case the patch would just need to be updated.

http://pkgs.fedoraproject.org/cgit/transifex-client.git/tree/transifex-client-0.9-use-system-wide-backports-ssl.patch

But I don't think that patch should apply cleanly to the 0.10 source code, so I'm not sure how the package was ever built in the first place.

https://github.com/transifex/transifex-client/blob/0.10/txclib/web.py

Regardless, I think a new patch can cure what ails them.  I'll start working on opening up separate bugs for the respective packages to get the clean up started, and then this bug can be marked to depend on them.

Comment 5 Tomas Hoger 2015-06-15 06:54:04 UTC
(In reply to Carl George from comment #4)
> The last one is transifex-client, and it's kinda weird. It looks like it is
> being patched to use the system backports.ssl_match_hostname, in which case
> the patch would just need to be updated.
> 
> http://pkgs.fedoraproject.org/cgit/transifex-client.git/tree/transifex-
> client-0.9-use-system-wide-backports-ssl.patch
> 
> But I don't think that patch should apply cleanly to the 0.10 source code,
> so I'm not sure how the package was ever built in the first place.
> 
> https://github.com/transifex/transifex-client/blob/0.10/txclib/web.py

That patch is no longer applied as of rebase to 0.10:

http://pkgs.fedoraproject.org/cgit/transifex-client.git/commit/?h=f21&id=5ed61c89115ad7c0ec59b7394bfb48ecb2bdadfc

There is embedded copy of match_hostname() in embedded urllib3 and only used in embedded urllib3.  Embedding urllib3 is packaging policy violation of its own.

Comment 6 Carl George 2015-06-16 19:34:34 UTC
I sent a patch upstream for FreeIPA.

https://fedorahosted.org/freeipa/ticket/5068

Comment 7 Ralph Bean 2015-09-15 20:27:04 UTC
I know python-urllib3 got a fix for this.  Have all of these dependencies been dealt with?  Can we retire python-backports-ssl_match_hostname in rawhide?  Thanks for working on this :)

Comment 8 Carl George 2015-09-15 21:21:31 UTC
Hey Ralph,

Here is what I know is left.

* willie (rhbz#1232346)
* transifex-client
* freeipa-client

Comment 9 Toshio Ernie Kuratomi 2015-12-19 22:51:58 UTC
Note -- I just released a new upstream version that backports the python-3.5 support for IPAddress ServerAltNames.  So the backport package is now ahead of python-2.7.9 (and 2.7.10).  This could change as upstream python makes new 2.7.x releases.  Someone should talk to ncoghlan about whether that's something he's going to be pushing for upstream.

Programs which don't care about verifying certificates by ip address don't need to care about the new upstream version.  I'm guessing that most programs would consider it a bug if they have users who create their own certs that work via ip address otherwise they'll never notice that ipaddress isn't supported.

Comment 10 Fedora Admin XMLRPC Client 2016-04-04 19:56:45 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 11 Fedora End Of Life 2016-07-19 20:10:13 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 12 Carl George 2016-07-20 13:30:44 UTC
As of F23, here are the packages still blocking retirement of python-backports-ssl_match_hostname.

* willie (#1232346)
* transifex-client (can by indirectly resolved by addressing #1231668)

Comment 13 Fedora End Of Life 2016-11-24 11:52:13 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 14 Carl George 2016-11-29 18:55:53 UTC
In F24 and F25, here are the packages still blocking the retirement of python-backports-ssl_match_hostname.

* python-docker-py (bug 1399804)
* transifex-client (can by indirectly resolved by addressing bug 1231668)

Comment 15 Fedora End Of Life 2017-07-25 18:57:20 UTC
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 16 Carl George 2017-07-25 19:02:39 UTC
Since backports.ssl_match_hostname got updated to 3.5.0.1 (Python 3.5's ssl module), my request to remove this package doesn't actually make sense anymore.  The package is still relevant for python(2) as well as python34 in EPEL.


Note You need to log in before you can comment on or make changes to this bug.