Description of problem: The requests library supports multiple TLS/SSL backends through urllib3, amongst others PyOpenSSL and Python's ssl module. By default, requests overrides urllib3 defaults and attempts to inject PyOpenSSL as preferred implementation. Upstream prefers PyOpenSSL, because it supports old versions of Python, that lack certain features like SNI or proper hostname verification. PyOpenSSL is no longer necessary in Fedora. The ssl module of Python 2.7.9+ (PEP 466) and 3.6 contain all necessary features for secure TLS/SSL handshake. The hard dependency on PyOpenSSL and forceful injection in requests/__init__.py has multiple disadvantages: * Fedora requests RPM pulls in several additional packages that are not strictly required: PyOpenSSL, python-cryptography, python-asn1crypto, python-cffi * PyOpenSSL uses libffi's closures for some callbacks. The callbacks are not compatible with SELinux's execmem rules, because they require dynamic code creation with writeable, executable memory pages. libffi has a workaround, but the workaround is not fork-safe. For example, I had to add a workaround to FreeIPA to prevent SELinux violations from PyOpenSSL. * PyOpenSSL is a bit slower than ssl module. Performance used to be even worse. Version-Release number of selected component (if applicable): all How reproducible: always Fix: * Remove package requirements from spec file * Remove https://github.com/requests/requests/blob/master/requests/__init__.py#L93-L102
Hi Christian, python-urllib3 is the package that has the hard dependency on PyOpenSSL so I've dropped it in version 1.22-7.fc29. python-requests-2.18.4-4.fc29 has the injection patched out. I'll file bodhi updates on F28 and F27 for both as soon as the builds finish.
python-urllib3-1.22-7.fc28 python-requests-2.18.4-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b
python-urllib3-1.22-5.fc27 python-requests-2.18.4-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ae2c9dd927
python-requests-2.18.4-4.fc28, python-urllib3-1.22-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b
Wow, you are fast. Thanks a lot! You can also remove python[23]-cryptography and python[23]-idna from python-urllib. The packages are only imported by urllib3.contrib.pyopenssl.py.
python-requests-2.18.4-2.fc27, python-urllib3-1.22-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ae2c9dd927
python-requests-2.18.4-4.fc28 python-urllib3-1.22-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b
python[23]-cryptography and python[23]-idna requirements have been dropped from python-urllib3 in python-urllib3-1.22-8. Thanks!
python-requests-2.18.4-4.fc28, python-urllib3-1.22-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b
python-requests-2.18.4-4.fc28, python-urllib3-1.22-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
python-requests-2.18.4-2.fc27, python-urllib3-1.22-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.