[Python-modules-team] Bug#766296: python-urllib3: shouldn't it depend on python-ndg-httpsclient, python-openssl and python-pyasn1

Daniele Tricoli eriol at mornie.org
Wed Oct 22 14:11:31 UTC 2014

Hello Christoph,
thanks for this report!

[cc Donald Stufft since he is a security guy! Thanks Donald and sorry for the 
noise! ;)]

On Wednesday 22 October 2014 03:00:30 Christoph Anton Mitterer wrote:
> So apparently you say, that without python-ndg-httpsclient, python-openssl
> and python-pyasn1   python-urllib3 is vulnerable to at least CRIME, right?

When using SSL, yes, but only on Python 2: on Python 3 you can just use 
OP_NO_COMPRESSION to prevent it.

> But shouldn't it then Depend on all of those? Or is it guaranteed that
> all code that might ever use python-urllib3, will check for these
> dependencies whenever SSL/TLS is used, and therefore be on the safe side?.

Of course, it's not guaranteed that all code that might ever use python-
urllib3 will check for python-ndg-httpsclient, python-openssl and python-
pyasn1 (well this dipends on how upstream wrote that code), but urllib3 can be 
used without SSL/TLS at all.

Debian Policy says about Recomends[¹]:


        This declares a strong, but not absolute, dependency.

        The Recommends field should list packages that would be found together 
        with this one in all but unusual installations.

A not so unusual installation can be a service where I use urllib3 without 
SSL/TSL: in this case I don't need python-ndg-httpsclient, python-openssl and 

> I mean if e.g. openssl would dynamically load libssl and silently default to
> using aNULL and eNULL ciphersuites only, when it's not present,... one
> would probably also say "libssl is mandatory, since otherwise security
> isn't guaranteed".

I think this example, however, is a bit different. Do you think so?
You will not use openssl without libssl (I'm considering the use of NULL 
ciphersuites as not using libssl at all), but you *can* use urllib3 without 

So, I think Recommends is fine in this case. For more details you can look at 
this thread on @debian-python:


Kind regards,

 Daniele Tricoli 'Eriol'

More information about the Python-modules-team mailing list