Bug 963315 - python-requests: Use / depend on system version of python-backports-ssl_match_hostname package to use ssl.match_hostname() routine instead of embedding it directly again
python-requests: Use / depend on system version of python-backports-ssl_match...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: python-requests (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Arun S A G
Fedora Extras Quality Assurance
:
Depends On: 963306 963311 963313
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-15 11:55 EDT by Jan Lieskovsky
Modified: 2013-05-17 10:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 963313
Environment:
Last Closed: 2013-05-17 10:56:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-05-15 11:55:13 EDT
+++ This bug was initially created as a clone of Bug #963313 +++
+++ This bug was initially created as a clone of Bug #963311 +++
+++ This bug was initially created as a clone of Bug #963306 +++

Description of problem:
python-requests package (due to need / requirement of Python3's ssl.match_hostname() routine) embeds the code of the python-backports-ssl_match_hostname package.

Version-Release number of selected component (if applicable):
python-requests-1.1.0-3.fc19

How reproducible:
Always

Steps to Reproduce:
1. diff -s /root/rpmbuild/BUILD/python3-python-requests-1.1.0-3.fc17/requests/packages/urllib3/packages/ssl_match_hostname/__init__.py /root/rpmbuild/BUILD/backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py 
Files /root/rpmbuild/BUILD/python3-python-requests-1.1.0-3.fc17/requests/packages/urllib3/packages/ssl_match_hostname/__init__.py and /root/rpmbuild/BUILD/backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py are identical
  
Actual results:
ssl_match_hostname code from python-backports-ssl_match_hostname is embedded in python-requests code.

Expected results:
python-requests package should use / require system python-backports-ssl_match_hostname version, instead of directly embedding that code by itself again.

Additional info:
Since in the case a security flaw in the embedded code is found:
  https://bugzilla.redhat.com/show_bug.cgi?id=963260

the fact of embedding means a requirement to issue a python-requests package update too.
Comment 1 Ralph Bean 2013-05-15 14:58:56 EDT
I am confused as to how this is possible.  This patch should have removed everything under python_sitelib/requests/packages/

http://pkgs.fedoraproject.org/cgit/python-requests.git/commit/?id=2f898f274c560a0fb5ac48719a9529f68688fb7a
Comment 2 Ralph Bean 2013-05-15 15:05:27 EDT
python-requests-1.1.0-3 requires python-urllib3 which in turn requires python-backports-ssl_match_hostname

I feel sure that this is actually already fixed and in the stable repositories.

I would like to close this and the related bugs as NOTABUG.  Is that okay with you, Jan?
Comment 3 Toshio Ernie Kuratomi 2013-05-15 15:07:16 EDT
Additional confirmation that the bundled libraries are being stripped:

$ rpm -q python-requests
python-requests-1.1.0-3.fc17.noarch
$ rpm -ql python-requests|grep ssl_match_hostname                                  $
Comment 4 Florian Weimer 2013-05-15 15:15:13 EDT
(In reply to comment #1)
> I am confused as to how this is possible.  This patch should have removed
> everything under python_sitelib/requests/packages/

I think I may have confused Jan with a comment earlier today.  I spotted a bug in the ssl.match_hostname() function while looking at python-requests.  I didn't intended to imply that we bundle it in Fedora (even though upstream does, I think).

Note You need to log in before you can comment on or make changes to this bug.