Bug 963315 - python-requests: Use / depend on system version of python-backports-ssl_match_hostname package to use ssl.match_hostname() routine instead of embedding it directly again
Summary: python-requests: Use / depend on system version of python-backports-ssl_match...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: python-requests
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Arun S A G
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 963306 963311 963313
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-15 15:55 UTC by Jan Lieskovsky
Modified: 2013-05-17 14:56 UTC (History)
4 users (show)

Fixed In Version:
Clone Of: 963313
Environment:
Last Closed: 2013-05-17 14:56:21 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2013-05-15 15:55:13 UTC 
+++ This bug was initially created as a clone of Bug #963313 +++
+++ This bug was initially created as a clone of Bug #963311 +++
+++ This bug was initially created as a clone of Bug #963306 +++

Description of problem:
python-requests package (due to need / requirement of Python3's ssl.match_hostname() routine) embeds the code of the python-backports-ssl_match_hostname package.

Version-Release number of selected component (if applicable):
python-requests-1.1.0-3.fc19

How reproducible:
Always

Steps to Reproduce:
1. diff -s /root/rpmbuild/BUILD/python3-python-requests-1.1.0-3.fc17/requests/packages/urllib3/packages/ssl_match_hostname/__init__.py /root/rpmbuild/BUILD/backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py 
Files /root/rpmbuild/BUILD/python3-python-requests-1.1.0-3.fc17/requests/packages/urllib3/packages/ssl_match_hostname/__init__.py and /root/rpmbuild/BUILD/backports.ssl_match_hostname-3.2a3/src/backports/ssl_match_hostname/__init__.py are identical
  
Actual results:
ssl_match_hostname code from python-backports-ssl_match_hostname is embedded in python-requests code.

Expected results:
python-requests package should use / require system python-backports-ssl_match_hostname version, instead of directly embedding that code by itself again.

Additional info:
Since in the case a security flaw in the embedded code is found:
  https://bugzilla.redhat.com/show_bug.cgi?id=963260

the fact of embedding means a requirement to issue a python-requests package update too.
Comment 1 Ralph Bean 2013-05-15 18:58:56 UTC 
I am confused as to how this is possible.  This patch should have removed everything under python_sitelib/requests/packages/

http://pkgs.fedoraproject.org/cgit/python-requests.git/commit/?id=2f898f274c560a0fb5ac48719a9529f68688fb7a
Comment 2 Ralph Bean 2013-05-15 19:05:27 UTC 
python-requests-1.1.0-3 requires python-urllib3 which in turn requires python-backports-ssl_match_hostname

I feel sure that this is actually already fixed and in the stable repositories.

I would like to close this and the related bugs as NOTABUG.  Is that okay with you, Jan?
Comment 3 Toshio Ernie Kuratomi 2013-05-15 19:07:16 UTC 
Additional confirmation that the bundled libraries are being stripped:

$ rpm -q python-requests
python-requests-1.1.0-3.fc17.noarch
$ rpm -ql python-requests|grep ssl_match_hostname                                  $
Comment 4 Florian Weimer 2013-05-15 19:15:13 UTC 
(In reply to comment #1)
> I am confused as to how this is possible.  This patch should have removed
> everything under python_sitelib/requests/packages/

I think I may have confused Jan with a comment earlier today.  I spotted a bug in the ssl.match_hostname() function while looking at python-requests.  I didn't intended to imply that we bundle it in Fedora (even though upstream does, I think).
Note You need to log in before you can comment on or make changes to this bug.