Description of problem: Build 1.16.0-5 changed python-dns' dependencies from python-crypto to python-pycryptodomex and added python-ecdsa. I noticed the change because it suddenly increased the installation size of FreeIPA by 30 MB (see #1802989). Both crypto libraries are only required for an optional features of dnspython: to verify DNSSEC signatures. The rest of dns.dnssec and dnspython doesn't need these libraries. There are also security concerns with both crypto libraries. For example the author and the current maintainer of ecdsa recommend against using the library for anything security related (see https://pypi.org/project/ecdsa/). Could you please make the dependencies "Recommended" instead of "Required"? That would allow FreeIPA to not install the packages. FreeIPA doesn't use the DNSSEC signature verification code. Version-Release number of selected component (if applicable): python3-dns-1.16.0-7.fc31 How reproducible: Always Steps to Reproduce: 1. dnf install --setopt=install_weak_deps=False python3-dns Actual results: Installs python3-pycryptodomex python3-ecdsa Expected results: With --setopt=install_weak_deps=False dnf should not install weak dependencies. Additional info:
Paul, both python-ecdsa and python-pycryptodomex(libtomcrypt) are pretty horrible dependencies to have in general. If you can convince upstream to move to python-cryptography(openssl) it would be much welcome. Especially python-ecdsa SHOULD NOT be used, it is trivial to attack and extract private keys when it is in use.
https://github.com/rthalley/dnspython/pull/449 was pushed, we should probably backport this to Fedora/RHEL/CentOS, and finally get rid of those bad deps
FYI upstream is not going to do any new release for Python 2 so you are probably left with backports. Also dnspython 2.0 is going to be Python 3 only and likely introduce breaking changes to the API.
If you need backports, but do not have time to handle it, please give me a git tree that reflects the current code to backport to and I will provide you a working patch. That said do we care for python2 at all in Fedora?
FEDORA-2020-aaaa504a87 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aaaa504a87
FEDORA-2020-aaaa504a87 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aaaa504a87` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aaaa504a87 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This has been done in https://bodhi.fedoraproject.org/updates/FEDORA-2020-4e12b426c8