Releases retrieved: 41.0.6 Upstream release that is considered latest: 41.0.6 Current version/release in rawhide: 41.0.5-1.fc40 URL: http://cryptography.io/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/5532/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-cryptography
Releases retrieved: 41.0.7 Upstream release that is considered latest: 41.0.7 Current version/release in rawhide: 41.0.5-1.fc40 URL: http://cryptography.io/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/5532/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-cryptography
Releases retrieved: 42.0.0 Upstream release that is considered latest: 42.0.0 Current version/release in rawhide: 41.0.5-2.fc40 URL: http://cryptography.io/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/5532/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-cryptography
python-cryptography FTBFS on Rawhide due to missing dependencies: nothing provides requested (crate(openssl-sys/default) >= 0.9.99 with crate(openssl-sys/default) < 0.10.0~) nothing provides requested (crate(openssl/default) >= 0.10.63 with crate(openssl/default) < 0.11.0~) nothing provides requested (crate(pem) >= 3.0.0 with crate(pem) < 4.0.0~) FreeIPA is not compatible with cryptography 42.0.0 due to new abstract properties in x509.Certificate class.
Releases retrieved: 43.0.0.dev1 Upstream release that is considered latest: 43.0.0.dev1 Current version/release in rawhide: 41.0.5-2.fc40 URL: http://cryptography.io/ Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ More information about the service that created this bug can be found at: https://docs.fedoraproject.org/en-US/package-maintainers/Upstream_Release_Monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from Anitya: https://release-monitoring.org/project/5532/ To change the monitoring settings for the project, please visit: https://src.fedoraproject.org/rpms/python-cryptography
I see some of the Depends On: tickets closed. What is this waiting for at this moment? FWIW, I had a look at the spec and took a stab at building. It seems that upstream removed setup.py in 42.0.0 so %py3_build is failing with: + /usr/bin/python3 setup.py build '--executable=/usr/bin/python3 -sP' /usr/bin/python3: can't open file '/builddir/build/BUILD/cryptography-42.0.2/setup.py': [Errno 2] No such file or directory
See comment 3. Last time I checked, some packages like FreeIPA were incompatible with 42.0. Let me check with FreeIPA upstream if they have addressed the issue. Upstream has moved to a modern wheel approach for the package. My update PR 28 also updates the spec file to use %pyproject RPM macros instead of the old %py3_build macros.
salt 3007.0 needs >= 42.
FEDORA-2024-36918807ad (python-cryptography-42.0.5-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-36918807ad
FEDORA-2024-534c900eff (python-cryptography-42.0.5-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-534c900eff
Can we get a F39 build since that is what is current and what most people are using, P&T of course.
F39 is lacking recent python-setuptools-rust, rust-pem, rust-openssl, and rust-openssl-sys versions. The F40 and Rawhide updates are also blocked by QA test failures. I can look into F39 build after the test issues have been solved and the necessary dependencies are available in F39.
I have created side tag f39-build-side-86167 and kicked off python-setuptools-rust-1.7.0-6.fc39 build in the side tag.
FEDORA-2024-534c900eff has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-534c900eff` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-534c900eff See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
I have unpushed updates to Rawhide and F40, because there are further complications. Adam figured out that several packages in Fedora have a upper version on on "cryptography < 42.0". The limit in PyOpenSSL is correct and the package has to be updated at the same time. In other cases it may be bad practice from upstream package maintainer. firmitas-0:0.1.2-5.fc40.noarch (python3.12dist(cryptography) < 42~~ with python3.12dist(cryptography) >= 36) oci-cli-0:3.37.10-1.fc40.noarch (python3.12dist(cryptography) < 42~~ with python3.12dist(cryptography) >= 3.2.1) pgadmin4-0:8.3-4.fc40.x86_64 (python3dist(cryptography) >= 41 with python3dist(cryptography) < 41.1) python3-oci-0:2.122.0-1.fc40.noarch (python3.12dist(cryptography) < 42~~ with python3.12dist(cryptography) >= 3.2.1) python3-pyOpenSSL-0:23.2.0-3.fc40.noarch ((python3.12dist(cryptography) < 40 or python3.12dist(cryptography) > 40) with (python3.12dist(cryptography) < 40.0.1 or python3.12dist(cryptography) > 40.0.1) with python3.12dist(cryptography) < 42~~ with python3.12dist(cryptography) >= 38)
I have moved the updates into side tags. We now have three side tags for the update: - f41-build-side-86213 - f40-build-side-86215 - f39-build-side-86167 The F39 side tag has python-setuptools-rust update and is waiting for rust-pem and rust-openssl updates. The F40 and F41 side tags have cryptography 42.0.5 builds.
Adam pointed out that pyOpenSSL update on F39 would introduce several backwards incompatible changes, https://bugzilla.redhat.com/show_bug.cgi?id=2246256#c9 . It's unlikely that I can update F39 to cryptography 42.0. I simply don't have time and resources to verify that pyOpenSSL 24.1 doesn't break any F39 package.
I see that https://bodhi.fedoraproject.org/updates/FEDORA-2024-534c900eff has some bad karma even on F40. What's the plan to move this forward?
What's the plan to move this forward, on F40 at least?
pyOpenSSL-24.1.0-1.fc41 was built but never pushed through bodhi: https://koji.fedoraproject.org/koji/buildinfo?buildID=2426220 Same for pyOpenSSL-24.1.0-1.fc40 https://koji.fedoraproject.org/koji/buildinfo?buildID=2426223 Both builds were eventually deleted. Anyway, the state of Rawhide is: firmitas-0:0.1.2-5.fc40.noarch (python3.12dist(cryptography) < 42~~ with python3.12dist(cryptography) >= 36) firmitas-0:0.1.2-5.fc40.src (python3dist(cryptography) < 42~~ with python3dist(cryptography) >= 36) python3-pyOpenSSL-0:23.2.0-3.fc40.noarch ((python3.12dist(cryptography) < 40 or python3.12dist(cryptography) > 40) with (python3.12dist(cryptography) < 40.0.1 or python3.12dist(cryptography) > 40.0.1) with python3.12dist(cryptography) < 42~~ with python3.12dist(cryptography) >= 38) The last one is generated from https://github.com/pyca/pyopenssl/blob/23.2.0/setup.py#L102 "cryptography>=38.0.0,<42,!=40.0.0,!=40.0.1" This was relaxed in https://github.com/pyca/pyopenssl/blob/24.1.0/setup.py#L96 to "cryptography>=41.0.5,<43". --------- Unless this gets reverted in distgit, the Python 3.13 rebuild will ship it (regardless of the firmitas issue). Please,d on't let unfinished updates linger in distgit-only for 2 months.
In the meantime, I opened https://src.fedoraproject.org/rpms/python-cryptography/pull-request/32 If we don't hear from Christian Heimes before the Python 3.13 rebuilds starts, we plan to merge the revert.
cryptography is up to 42.0.8 now. Is there any more progress or plans on how to make progress with this update?
Will this be backported to at least the currently supported version of Fedora, 40?
Any comment on the above comment?
Okay, everything pinning cryptography < 42 has been fixed in Rawhide so I've submitted https://bodhi.fedoraproject.org/updates/FEDORA-2024-2b95830c50 - we'll see what CI has to say. For F40, since pyOpenSSL 24.x.x didn't make it into F40 it's a little trickier. I looked at the diff between 23.2.0 and 24.0.0 and don't see any fixes for a newer cryptography so we _could_ just rebuild pyOpenSSL with the pinned dependency removed instead of verifying nothing in F40 used the APIs they removed.
FEDORA-2024-0b79d3a700 (python-cryptography-42.0.8-4.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-0b79d3a700
FEDORA-2024-0b79d3a700 (python-cryptography-42.0.8-4.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
Given that this ticket has been closed due to the push to the F41 repo, should I open a new ticket for an F40 backport?