[Python-modules-team] Bug#766296: python-urllib3: shouldn't it depend on python-ndg-httpsclient, python-openssl and python-pyasn1
Daniele Tricoli
eriol at mornie.org
Wed Oct 22 14:11:31 UTC 2014
Hello Christoph,
thanks for this report!
[cc Donald Stufft since he is a security guy! Thanks Donald and sorry for the
noise! ;)]
On Wednesday 22 October 2014 03:00:30 Christoph Anton Mitterer wrote:
> So apparently you say, that without python-ndg-httpsclient, python-openssl
> and python-pyasn1 python-urllib3 is vulnerable to at least CRIME, right?
When using SSL, yes, but only on Python 2: on Python 3 you can just use
OP_NO_COMPRESSION to prevent it.
> But shouldn't it then Depend on all of those? Or is it guaranteed that
> all code that might ever use python-urllib3, will check for these
> dependencies whenever SSL/TLS is used, and therefore be on the safe side?.
Of course, it's not guaranteed that all code that might ever use python-
urllib3 will check for python-ndg-httpsclient, python-openssl and python-
pyasn1 (well this dipends on how upstream wrote that code), but urllib3 can be
used without SSL/TLS at all.
Debian Policy says about Recomends[¹]:
Recommends
This declares a strong, but not absolute, dependency.
The Recommends field should list packages that would be found together
with this one in all but unusual installations.
A not so unusual installation can be a service where I use urllib3 without
SSL/TSL: in this case I don't need python-ndg-httpsclient, python-openssl and
pyasn1.
> I mean if e.g. openssl would dynamically load libssl and silently default to
> using aNULL and eNULL ciphersuites only, when it's not present,... one
> would probably also say "libssl is mandatory, since otherwise security
> isn't guaranteed".
I think this example, however, is a bit different. Do you think so?
You will not use openssl without libssl (I'm considering the use of NULL
ciphersuites as not using libssl at all), but you *can* use urllib3 without
SSL.
So, I think Recommends is fine in this case. For more details you can look at
this thread on @debian-python:
https://lists.debian.org/debian-python/2014/06/msg00031.html
Kind regards,
--
Daniele Tricoli 'Eriol'
http://mornie.org
More information about the Python-modules-team
mailing list