BUG: Compatibility issue with python3-cryptography 43.0.0

[Nilsonfsilva]

Hi! portugue

When trying to update pyfunceble to version 4.26 on Debian, I got an error in CI/CD tests due to incompatibility with version 43.0.0 of python3-cryptography. Reading package lists... 0m6.9s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_copy_configs'] 0m6.9s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_database-server'] 0m6.9s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_database-server'] 0m6.9s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_exceptions'] 0m6.9s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_exceptions'] 0m6.9s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_extras'] 0m6.9s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_extras'] 0m6.9s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_foreign_architecture'] 0m6.9s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_foreign_architecture'] 0m6.9s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_foreign_architecture_i386'] 0m6.9s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'tmp/scripts/pre_install_foreign_architecture_i386'] 0m6.9s DEBUG: Starting command: ['lsof', '-w', '+D', '/tmp/tmp7xog0dc3'] 0m8.0s DEBUG: Command failed (status=1), but ignoring error: ['lsof', '-w', '+D', '/tmp/tmp7xog0dc3'] 0m8.3s DEBUG: No broken symlinks as far as we can find. 0m8.3s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'dpkg-query', '-f', '${Version}\n', '-W', 'apt'] 0m8.3s DUMP: 2.9.8 0m8.3s DEBUG: Command ok: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'dpkg-query', '-f', '${Version}\n', '-W', 'apt'] 0m8.3s DEBUG: Copying /builds/python-team/packages/python-pyfunceble/debian/output/python3-pyfunceble_4.2.25.dev-1+salsaci+20240912+22_all.deb to /tmp/tmp7xog0dc3/tmp 0m8.3s DEBUG: Starting command: ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'apt-get', '-y', '--allow-downgrades', 'install', './tmp/python3-pyfunceble_4.2.25.dev-1+salsaci+20240912+22_all.deb'] 0m9.7s DUMP: Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation:

The following packages have unmet dependencies: python3-pyfunceble : Depends: python3-cryptography (< 43) but 43.0.0-1 is to be installed E: Unable to correct problems, you have held broken packages. 0m9.7s ERROR: Command failed (status=100): ['chroot', '/tmp/tmp7xog0dc3', 'eatmydata', 'apt-get', '-y', '--allow-downgrades', 'install', './tmp/python3-pyfunceble_4.2.25.dev-1+salsaci+20240912+22_all.deb'] Reading package lists... Building dependency tree... Reading state information... Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation:

The following packages have unmet dependencies: python3-pyfunceble : Depends: python3-cryptography (< 43) but 43.0.0-1 is to be installed E: Unable to correct problems, you have held broken packages.

0m10.8s DEBUG: Starting command: ['umount', '/tmp/tmp7xog0dc3/dev/shm'] 0m10.8s DEBUG: Command ok: ['umount', '/tmp/tmp7xog0dc3/dev/shm'] 0m10.8s DEBUG: Starting command: ['umount', '/tmp/tmp7xog0dc3/dev/pts'] 0m10.8s DEBUG: Command ok: ['umount', '/tmp/tmp7xog0dc3/dev/pts'] 0m10.8s DEBUG: Starting command: ['umount', '/tmp/tmp7xog0dc3/proc'] 0m10.8s DEBUG: Command ok: ['umount', '/tmp/tmp7xog0dc3/proc'] 0m10.8s DEBUG: Starting command: ['rm', '-rf', '--one-file-system', '/tmp/tmp7xog0dc3'] 0m10.9s DEBUG: Command ok: ['rm', '-rf', '--one-file-system', '/tmp/tmp7xog0dc3'] 0m10.9s DEBUG: Removed directory tree at /tmp/tmp7xog0dc3 0m10.9s ERROR: piuparts run ends. Cleaning up project directory and file based variables 00:01 ERROR: Job failed: exit code 1

[funilrys]

Hey @Nilsonfsilva, nice to hear from you. I did update that a few hours ago to mitigate: https://github.com/advisories/GHSA-h4gh-qq45-vh27 .

I think we should revert the change then. Will that be okay for you ?

[funilrys]

Waiting for @Nilsonfsilva before we proceed with a change.

[Nilsonfsilva]

yes I am well! And you ?

I haven't upgraded to Debian yet! because before we upload a release, we first submit it for CI/CD testing.

The problem is that we cannot roll back python3-cryptography 43.0.0 version on Debian. Now pyfunceble is also crashing in version 4.25 now

o requirements.txt. It says that yfunceble is only compatible with versions lower than 43.0.0

Is there already any action being taken around this?

[funilrys]

I'm doing well too. A bit busy lately but well.

Well, let me revert the change.

[funilrys]

@Nilsonfsilva What is the minimal version you require ?

[funilrys]

Let's reopen this until @Nilsonfsilva confirms that the next release is OK.

[Nilsonfsilva]

Have you tested pyfunceble for version python-cryptography 43.0.0?

If you already have it and it works well, I believe the restriction of cryptography~=43.0, in requirements.txt should be modified.

Currently python-cryptography There are also regression problems for some architectures. https://qa.debian.org/excuses.php?package=python-cryptography

Let's wait for python-cryptography be corrected and then we can take some action.

[funilrys]

@Nilsonfsilva , yeah our CI/CD tests if everything is right by:

• running the unit tests
• running the software with the commonly used parameters

in an isolated environment with all python version we support.

All right, the changes have been pushed. Here are the references:

1. Ongoing CI / CD: https://github.com/funilrys/PyFunceble/actions/runs/10980697281
2. Frozen tag: https://github.com/funilrys/PyFunceble/tree/v4.2.27.dev
3. Commit/Revert: https://github.com/funilrys/PyFunceble/commit/60f24e6e810ab527fed2af556f3e811e8a132a0a

[Nilsonfsilva]

Excellent! Let's wait for python-cryptography normalize in regression tests. Because python-cryptography is breaking some packages too.

Stay tuned, I'll keep you informed.

It was nice talking to you.

[funilrys]

All right @Nilsonfsilva, I'll keep this issue open then. Feel free to open new issues if something are not working while packaging for Debian.

Always nice talking to you - too.

Thank you for your effort and cooperation.

[spirillen]

Hey @Nilsonfsilva and @funilrys

I don't see what version of Debian is being used, but if you like I do have a Debian 12 I can test this on.

[Nilsonfsilva]

Hello funilrys! I hope you are well!

See the problem with pyfunceble currently in Debian is the incompatibility with the current version of encryption that is in Debian, in this case 43.0.0.

Pyfunceble's dependencies say it doesn't support this version: https://github.com/funilrys/PyFunceble/blob/dev/requirements.txt#L3

I don't see which version of Debian is being used, but if you want, I have a Debian 12 that I can test.

Just so you understand: Debian is preparing its next version 13. Pyfunceble is being tested to enter the next version.

We receive updates daily in our repositories. And we need to make the packages work with the new versions of the dependencies.

In some cases, this means that in some cases we need to make adjustments through patches to keep packages working in our ecosystem.

My question is: Does pyfunceble support "cryptography" version 43.0.0?

If yes, why can't you change it: https://github.com/funilrys/PyFunceble/blob/dev/requirements.txt#L3 for "encryption >=42.0"

Because when packages are being built, it reads the requirements.txt and based on it checks the compatibility of the dependencies.

It is currently failing CI/CD tests: https://salsa.debian.org/python-team/packages/python-pyfunceble/-/jobs/6389517#L144

Make sure there is no incompatibility; otherwise you can change this. It would be great if the package migrated to our new version.

Thanks!

[funilrys]

Hey @Nilsonfsilva ,

sorry for the waiting time. I hope you are doing well - too.

Does pyfunceble support "cryptography" version 43.0.0?

Yes, it does. I reverted the change (cf: https://github.com/funilrys/PyFunceble/commit/60f24e6e810ab527fed2af556f3e811e8a132a0a) because of the issue you opened.

Let me change that for you.

[funilrys]

@Nilsonfsilva Switched requirements in the latest pre-release.

[spirillen]

This seems to de a issue on BSD as well, disregarding if I use the latest (py311-cryptography: 42.0.8_3,1) or legacy (py311-cryptography-legacy: 3.4.8_3,1) module

Fatal Error: module 'openssl' has no attribute 'ciphers'

In this case, this is related to DB connection on MariaDB

[funilrys]

Closing as we are in the process of dropping cryptography. Thanks everyone.

[Nilsonfsilva]

Hi

I'm almost finished configuring the new documentation that came with 4.2.29-dev.

Fechando porque estamos no processo de eliminação da criptografia. Obrigado a todos.

I'm glad you've already committed the python3-cryptography dependency issue.

For now the only problem we are facing in CI/CD tests is this: https://salsa.debian.org/python-team/packages/python-pyfunceble/-/jobs/6529391

Do you have an estimate of when you will release a new tag, with the commits that fix the problem?