Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package python-astropy
Since openSSL removed SSLv2 and SSLv3, building python-astropy failed, which is
reported in bug #775780.
A debdiff is attached.
unblock python-astropy/0.4.2-2
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
diff -Nru python-astropy-0.4.2/debian/changelog python-astropy-0.4.2/debian/changelog
--- python-astropy-0.4.2/debian/changelog 2014-09-24 16:01:03.000000000 +0200
+++ python-astropy-0.4.2/debian/changelog 2015-01-19 21:09:28.000000000 +0100
@@ -1,3 +1,9 @@
+python-astropy (0.4.2-2) unstable; urgency=medium
+
+ * Don't set defalt SSL protocol in vo/samp/client.py. Closes: #775780
+
+ -- Ole Streicher <oleb...@debian.org> Mon, 19 Jan 2015 21:07:18 +0100
+
python-astropy (0.4.2-1) unstable; urgency=low
* New upstream release.
diff -Nru python-astropy-0.4.2/debian/patches/remove_ssl_2_3.patch python-astropy-0.4.2/debian/patches/remove_ssl_2_3.patch
--- python-astropy-0.4.2/debian/patches/remove_ssl_2_3.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-astropy-0.4.2/debian/patches/remove_ssl_2_3.patch 2015-01-19 17:21:10.000000000 +0100
@@ -0,0 +1,273 @@
+From: Michael Droettboom <mdb...@gmail.com>
+Date: Fri, 16 Jan 2015 09:58:27 -0500
+Subject: [PATCH] Let Python choose the default SSL protocol for us.
+--- a/astropy/vo/samp/client.py
++++ b/astropy/vo/samp/client.py
+@@ -85,13 +85,13 @@
+ passed from the Hub end of the connection.
+
+ ssl_version : int, optional
+- Which version of the SSL protocol to use. Typically, the server
+- chooses a particular protocol version, and the client must adapt to
+- the server's choice. Most of the versions are not interoperable with
+- the other versions. If not specified the default SSL version is
+- `ssl.PROTOCOL_SSLv23`. This version provides the most compatibility
+- with other versions Hub side. Other SSL protocol versions are:
+- `ssl.PROTOCOL_SSLv2`, `ssl.PROTOCOL_SSLv3` and `ssl.PROTOCOL_TLSv1`.
++ Which version of the SSL protocol to use. Typically, the
++ server chooses a particular protocol version, and the client
++ must adapt to the server's choice. Most of the versions are
++ not interoperable with the other versions. If not specified,
++ the default SSL version is taken from the default in the
++ installed version of the Python standard `ssl` library. See
++ the `ssl` documentation for more information.
+
+ callable : bool, optional
+ Whether the client can receive calls and notifications. If set to
+@@ -118,9 +118,6 @@
+ if description is not None:
+ metadata["samp.description.text"] = description
+
+- if SSL_SUPPORT and ssl_version is None:
+- ssl_version = ssl.PROTOCOL_SSLv23
+-
+ self._metadata = metadata
+
+ self._addr = addr
+--- a/astropy/vo/samp/hub.py
++++ b/astropy/vo/samp/hub.py
+@@ -114,14 +114,14 @@
+ passed from the Hub end of the connection.
+
+ ssl_version : int, optional
+- The ``ssl_version`` option specifies which version of the SSL protocol
+- to use. Typically, the server chooses a particular protocol version,
+- and the client must adapt to the server's choice. Most of the versions
+- are not interoperable with the other versions. If not specified the
+- default SSL version is `ssl.PROTOCOL_SSLv23`. This version provides
+- the most compatibility with other versions client side. Other SSL
+- protocol versions are: `ssl.PROTOCOL_SSLv2`, `ssl.PROTOCOL_SSLv3` and
+- `ssl.PROTOCOL_TLSv1`.
++ The ``ssl_version`` option specifies which version of the SSL
++ protocol to use. Typically, the server chooses a particular
++ protocol version, and the client must adapt to the server's
++ choice. Most of the versions are not interoperable with the
++ other versions. If not specified, the default SSL version is
++ taken from the default in the installed version of the Python
++ standard `ssl` library. See the `ssl` documentation for more
++ information.
+
+ web_profile : bool, optional
+ Enables or disables the Web Profile support.
+@@ -165,9 +165,6 @@
+ self._client_timeout = client_timeout
+ self._pool_size = pool_size
+
+- if SSL_SUPPORT and ssl_version is None:
+- ssl_version = ssl.PROTOCOL_SSLv23
+-
+ self._web_profile = web_profile
+ self._web_profile_server = None
+ self._web_profile_callbacks = {}
+--- a/astropy/vo/samp/hub_proxy.py
++++ b/astropy/vo/samp/hub_proxy.py
+@@ -78,14 +78,14 @@
+ certificate passed from the Hub end of the connection.
+
+ ssl_version : int, optional
+- Which version of the SSL protocol to use. Typically, the server
+- chooses a particular protocol version, and the client must adapt
+- to the server's choice. Most of the versions are not interoperable
+- with the other versions. If not specified the default SSL version
+- is `ssl.PROTOCOL_SSLv3`. This version provides the most
+- compatibility with other versions server side. Other SSL protocol
+- versions are: `ssl.PROTOCOL_SSLv2`, `ssl.PROTOCOL_SSLv3` and
+- `ssl.PROTOCOL_TLSv1`.
++ Which version of the SSL protocol to use. Typically, the
++ server chooses a particular protocol version, and the
++ client must adapt to the server's choice. Most of the
++ versions are not interoperable with the other versions. If
++ not specified, the default SSL version is taken from the
++ default in the installed version of the Python standard
++ `ssl` library. See the `ssl` documentation for more
++ information.
+
+ pool_size : int, optional
+ The number of socket connections opened to communicate with the
+@@ -95,9 +95,6 @@
+ self._connected = False
+ self.lockfile = {}
+
+- if SSL_SUPPORT and ssl_version is None:
+- ssl_version = ssl.PROTOCOL_SSLv3
+-
+ if hub is not None and hub_params is not None:
+ raise ValueError("Cannot specify both hub and hub_params")
+
+--- a/astropy/vo/samp/hub_script.py
++++ b/astropy/vo/samp/hub_script.py
+@@ -148,10 +148,14 @@
+ "SSL protocol to use. Typically, the server chooses a particular "
+ "protocol version, and the client must adapt to the server's choice. "
+ "Most of the versions are not interoperable with the other versions. "
+- "If not specified the default SSL version is SSLv23. This version "
+- "provides the most compatibility with other versions client side. "
+- "Other SSL protocol versions are: SSLv2, SSLv3 and TLSv1.",
+- type=str, choices=["SSLv23", "SSLv2", "SSLv3", "TLSv1"], default="SSLv23")
++ "If not specified the default SSL version is taken from the default in "
++ "the Python standard `ssl` library for the version of Python that is "
++ "installed. Other SSL protocol versions are: SSLv2, SSLv3, SSLv23, "
++ "TLSv1, TLSv1_1, TLSv1_2 but not all of them may be available on all "
++ "versions of Python.",
++ type=str,
++ choices=["SSLv23", "SSLv2", "SSLv3", "TLSv1", "TLSv1_1", "TLSv1_2"],
++ default=None)
+
+ parser.add_argument_group(ssl_group)
+
+@@ -170,14 +174,14 @@
+ else:
+ options.cert_reqs = ssl.CERT_NONE
+
+- if options.ssl_version == "SSLv2":
+- options.ssl_version = ssl.PROTOCOL_SSLv2
+- elif options.ssl_version == "SSLv3":
+- options.ssl_version = ssl.PROTOCOL_SSLv3
+- elif options.ssl_version == "TLSv1":
+- options.ssl_version = ssl.PROTOCOL_TLSv1
+- else:
+- options.ssl_version = ssl.PROTOCOL_SSLv23
++ if options.ssl_version is not None:
++ if hasattr(ssl, 'PROTOCOL_' + options.ssl_version):
++ options.ssl_version = getattr(
++ ssl, 'PROTOCOL_' + options.ssl_version)
++ else:
++ raise ValueError(
++ "SSL protocol '{0}' not supported on this version of "
++ "Python".format(options.ssl_version))
+
+ if options.loglevel in ("OFF", "ERROR", "WARNING", "DEBUG", "INFO"):
+ log.setLevel(options.loglevel)
+--- a/astropy/vo/samp/integrated_client.py
++++ b/astropy/vo/samp/integrated_client.py
+@@ -68,13 +68,13 @@
+ passed from the Hub end of the connection.
+
+ ssl_version : int, optional
+- Which version of the SSL protocol to use. Typically, the server chooses
+- a particular protocol version, and the client must adapt to the
+- server's choice. Most of the versions are not interoperable with the
+- other versions. If not specified the default SSL version is
+- `ssl.PROTOCOL_SSLv23`. This version provides the most compatibility
+- with other versions Hub side. Other SSL protocol versions are:
+- `ssl.PROTOCOL_SSLv2`, `ssl.PROTOCOL_SSLv3` and `ssl.PROTOCOL_TLSv1`.
++ Which version of the SSL protocol to use. Typically, the
++ server chooses a particular protocol version, and the client
++ must adapt to the server's choice. Most of the versions are
++ not interoperable with the other versions. If not specified,
++ the default SSL version is taken from the default in the
++ installed version of the Python standard `ssl` library. See
++ the `ssl` documentation for more information.
+
+ callable : bool, optional
+ Whether the client can receive calls and notifications. If set to
+@@ -167,14 +167,14 @@
+ certificate passed from the Hub end of the connection.
+
+ ssl_version : int, optional
+- Which version of the SSL protocol to use. Typically, the server
+- chooses a particular protocol version, and the client must adapt
+- to the server's choice. Most of the versions are not interoperable
+- with the other versions. If not specified the default SSL version
+- is `ssl.PROTOCOL_SSLv3`. This version provides the most
+- compatibility with other versions server side. Other SSL protocol
+- versions are: `ssl.PROTOCOL_SSLv2`, `ssl.PROTOCOL_SSLv3` and
+- `ssl.PROTOCOL_TLSv1`.
++ Which version of the SSL protocol to use. Typically, the
++ server chooses a particular protocol version, and the
++ client must adapt to the server's choice. Most of the
++ versions are not interoperable with the other versions. If
++ not specified, the default SSL version is taken from the
++ default in the installed version of the Python standard
++ `ssl` library. See the `ssl` documentation for more
++ information.
+
+ pool_size : int, optional
+ The number of socket connections opened to communicate with the
+--- a/astropy/vo/samp/ssl_utils.py
++++ b/astropy/vo/samp/ssl_utils.py
+@@ -32,7 +32,7 @@
+
+ def __init__(self, host, port=None, key_file=None, cert_file=None,
+ cert_reqs=ssl.CERT_NONE, ca_certs=None,
+- ssl_version=ssl.PROTOCOL_SSLv3, strict=None):
++ ssl_version=None, strict=None):
+
+ HTTPConnection.__init__(self, host, port, strict)
+
+@@ -47,12 +47,18 @@
+
+ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ sock.connect((self.host, self.port))
+- sslconn = ssl.wrap_socket(sock, server_side=False,
+- certfile=self.cert_file,
+- keyfile=self.key_file,
+- cert_reqs=self.cert_reqs,
+- ca_certs=self.ca_certs,
+- ssl_version=self.ssl_version)
++ # We have to explicitly not pass the ssl_version to
++ # `ssl.wrap_socket` if it's None.
++ kwargs = {
++ 'server_size': False,
++ 'certfile': self.cert_file,
++ 'keyfile': self.key_file,
++ 'cert_reqs': self.cert_reqs,
++ 'ca_certs': self.ca_certs,
++ }
++ if self.ssl_version is not None:
++ kwargs['ssl_version'] = self.ssl_version
++ sslconn = ssl.wrap_socket(sock, **args)
+ self.sock = sslconn
+
+ class HTTPS(HTTP):
+@@ -64,7 +70,7 @@
+
+ def __init__(self, host='', port=None, key_file=None, cert_file=None,
+ cert_reqs=ssl.CERT_NONE, ca_certs=None,
+- ssl_version=ssl.PROTOCOL_SSLv3):
++ ssl_version=None):
+
+ # provide a default host, pass the X509 cert info
+
+@@ -97,7 +103,7 @@
+
+ def __init__(self, key_file=None, cert_file=None,
+ cert_reqs=ssl.CERT_NONE, ca_certs=None,
+- ssl_version=ssl.PROTOCOL_SSLv3, strict=None,
++ ssl_version=None, strict=None,
+ use_datetime=0):
+
+ xmlrpc.Transport.__init__(self, use_datetime)
+@@ -151,10 +157,16 @@
+ def get_request(self):
+ # override this to wrap socket with SSL
+ sock, addr = self.socket.accept()
+- sslconn = ssl.wrap_socket(sock, server_side=True,
+- certfile=self.cert_file,
+- keyfile=self.key_file,
+- cert_reqs=self.cert_reqs,
+- ca_certs=self.ca_certs,
+- ssl_version=self.ssl_version)
++ # We have to explicitly not pass the ssl_version to
++ # `ssl.wrap_socket` if it's None.
++ kwargs = {
++ 'server_side': True,
++ 'certfile': self.cert_file,
++ 'keyfile': self.key_file,
++ 'cert_reqs': self.cert_reqs,
++ 'ca_certs': self.ca_certs
++ }
++ if self.ssl_version is not None:
++ kwargs['ssl_version'] = self.ssl_version
++ sslconn = ssl.wrap_socket(sock, **kwargs)
+ return sslconn, addr
diff -Nru python-astropy-0.4.2/debian/patches/series python-astropy-0.4.2/debian/patches/series
--- python-astropy-0.4.2/debian/patches/series 2014-09-24 15:59:41.000000000 +0200
+++ python-astropy-0.4.2/debian/patches/series 2015-01-19 18:07:09.000000000 +0100
@@ -2,3 +2,4 @@
use_extern_ply.patch
disable_helper.patch
use_wcslib_4.24.patch
+remove_ssl_2_3.patch
