-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
testing idea to migrate from pyopenssl onto cryptography (#1) #196
base: master
Are you sure you want to change the base?
Conversation
* testing idea to migrate from pyopenssl onto cryptography
stashed the legacy objects to aid in migration
Thanks for testing this out! My main question is if the primary benefit of this PR is to preserve backwards compatibility, and if so, is that needed? Assume we want to remove Or is the goal to just remove the pyopenssl usage now, without worrying about the larger project of decoupling certbot from josepy custom types? On a more practical note, |
Ack. those were failing after submitting this PR, and supposed to be committed into my in-process branch - not the PR one. I'll get those working even if just for me.
Basically that. I wanted to offer the most minimally breaking change conceivable to get Certbot off pyopenssl immediately, as I do think the concerns raised in #5 over third-party libraries utilizing Rather than giving impacted projects a mandate to "pin or upgrade", anything affected could do a temporary migration to the I am perhaps too influenced with SqlAlchemy, which goes to extreme measures to prepare users for API changes well in advance of breaking changes. |
bump cryptography version address mypy issue
it seems my local virtualenv got broken or conflicted, which kept the pre-commits from running correctly or at all. rebuilding got everything to work correctly. I'm not sure why the external test is failing here for openssl build errors; it passes elsewhere. the minimum version of cryptography had to be bumped to 42, to support timezone aware datetime objects. that version bump should probably happen in this project no matter what, as the timezone agnostic interfaces are deprecated. i was dealing with randomly failing tests, because each testrunner used a different cryptography version. |
That seems like a valid motivation; I confess I was only thinking of josepy in terms of its use as a certbot dependency and hasn't realized that other projects do seem to use it as well. It's more popular than I realized. As for the error: https://community.letsencrypt.org/t/certbot-renew-fails-no-attribute-x509-v-flag-notify-policy/215629/2
Sounds like since we need cryptography 42, gotta use a newer pyopenssl as well. |
Ah, that explains why it works on some runs but not others. Something I’ll do tomorrow is drop pyopenssl from requirements, and make it a conditional import (in try block). Then try to make tests run with and without pyopenssl, dropping some skip-unless options in there. I don’t know if any of this is useful to you all, but I could use the mental exercise:) |
If nothing else this discussion has certainly helped me realize how many people are using josepy which helps contextualize my thinking about it. I'm surprised that this PR gets us to where we could just drop pyopenssl as a requirement, even if conditionally. Or is that just to get a clearer picture of where it's still needed? |
That's exactly the plan. I just need to figure out how to get tox and poetry to handle this correctly. My thought was to migrate openssl into an optional dependency (i.e. josepy would then not require openssl, but use it if available (and compatible, I've got the version check handled). affected projects would then have to specify the openssl requirement in their code - which they already should be doing as they'd be doing something with the |
* conditional imports for pyopenssl * attempted, then removed version check for pyopenssl; it is guaranteed due to cryptography version(?) * edit pyproject.toml to make dependency optional * poetry lock update * removed unused `load_pyopenssl_private_key` * the tox does not use `extras` but its there for form. i did a full override on `commands_pre` because it was a nightmare trying to migrate the extras into that install command with overrides.
ok, so this works! cryptography is optional via a The test matrix is now doubled, running in "noopenssl" and "legacy" modes.
In In The only thing not supported is the pyopenssl text filetype, but I can't imagine that being used much. Anyways, my suggestion for an approach like this would be :
That would allow for certbot (and related projects) to drop pyopenssl for cryptography ASAP, and to drop pyopenssl from josepy in the near future - while giving any 3rd party projects a migration tool and minimally breaking their projects. As mentioned above - any breaking changes against unpinned projects will already require a hotfix version bump release, so instead of pinning to This was annoying, but fun, to get github+tox+poetry to work together nicely. |
Appreciate all the work you put in here! While I love the thoughtfulness for helping people migrate, I don't personally see the benefit of having people switch to |
I'm fine with dropping I think most of the breakage in those would be through tests; from what I remember the library code mostly doesn't rely on the internals of this object. |
Not to worry about certbot/acme; both are pinned to josepy |
This PR accepts the pyopenssl objects and converts them to cryptography objects. I can generate another pr that doesn’t do any of that.The main idea behind this was that it automatically upgrades legacy objects, and also offers a legacy interface, so projects can drop pyopenssl asap. I wanted to make it as easy and fast for everyone to get off it asap.I’ll make a no OpenSSL pr in another branch.On Dec 20, 2024, at 8:14 PM, ohemorange ***@***.***> wrote:
Not to worry about certbot/acme; both are pinned to josepy <2.0 for exactly this reason. What do you mean the packaging/testing concerns about accepting pyopenssl objects? Ideally we would no longer do so, no?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
As for having a migration period, I realized was bothering me: historically, we've had both implementations in a parallel in a way that doesn't require any change on the caller's part, without breaking backwards compatibility and adding warnings, and then making a single breaking change in a new version. So instead of having a partial migration with 2.0 and a full in 2.1, it would be something like |
That should be doable, I have a few ideas. The only thing I don’t understand is the version conflict with pyopenssl, as I can’t reproduce that locally. Can you share any info on the external test that is triggering that? |
For the openssl version, I think this is the error that's caused by crypto/pyopenssl mismatches. Easiest way to fix this before fully deprecating pyopenssl is to not yet upgrade cryptography, which can be done as in https://github.com/certbot/certbot/pull/10103/files:
|
Thanks. That wasn't the issue, but I think I figured things out and a workaround. The Exception is caused by removing OpenSSL from the active code, but still having it in the unit tests. Under those conditions, your test runner is picking up whatever pyopenssl version was installed on the system (if any) and raising an Exception due the version incompatibility. If I am right about this, I should (hopefully) only have to list pyopenssl as dev dependency (and hope your systems pick that up as if it were a test_requires listing). I should have some time tomorrow to figure out a rebase against main to see if my dev grouping idea worked, and try some of the legacy/new ideas. |
turn off the daily runs, i'm not mozilla
Sphinx v8 no longer supports intersphinx_mapping being a direct map; it now must be a map with identifiers and tuples. This fixes a FTBFS downstream in Debian, bug #1090148.
* testing idea to migrate from pyopenssl onto cryptography
stashed the legacy objects to aid in migration
* conditional imports for pyopenssl * attempted, then removed version check for pyopenssl; it is guaranteed due to cryptography version(?) * edit pyproject.toml to make dependency optional * poetry lock update * removed unused `load_pyopenssl_private_key` * the tox does not use `extras` but its there for form. i did a full override on `commands_pre` because it was a nightmare trying to migrate the extras into that install command with overrides.
Git and Github Actions are giving me too many problems; I will probably have to do a force-push or new branch. |
I was testing this idea to migrate from pyopenssl onto cryptography, before being pointed to #182
This is a less backwards incompatible change than that PR.
ComparableX509
is retained, but the underlying storage is migrated from pyopenssl onto cryptography.The init still accepts the legacy objects, but transcodes them.
I patched in support for the only
getattr(ComparableX509.wrapped)
in the tests. If one wanted to go crazy, there could be a full mapping there for compatibility - however I don't think wrapped attributes should be interacted with.The actual tests pass, but precommit fails (even though i have precommit locally and i manually reordered the imports based on github runner output).
I think this approach might make it easier to move completely away from pyopenssl over a few iterations of the related projects.