[Python-modules-team] Bug#766296: python-urllib3: shouldn't it depend on python-ndg-httpsclient, python-openssl and python-pyasn1

Donald Stufft donald at stufft.io
Wed Oct 22 15:32:01 UTC 2014 

For what it’s worth, I believe that PEP 476 patch has been applied to Python 2.7.8
in Jessie which means that urllib3 will automatically get the same security it has
on Python 3+ on Python 2 without needing anything additional installed.

> On Oct 22, 2014, at 10:11 AM, Daniele Tricoli <eriol at mornie.org> wrote:
> 
> Hello Christoph,
> thanks for this report!
> 
> [cc Donald Stufft since he is a security guy! Thanks Donald and sorry for the 
> noise! ;)]
> 
> On Wednesday 22 October 2014 03:00:30 Christoph Anton Mitterer wrote:
>> So apparently you say, that without python-ndg-httpsclient, python-openssl
>> and python-pyasn1   python-urllib3 is vulnerable to at least CRIME, right?
> 
> When using SSL, yes, but only on Python 2: on Python 3 you can just use 
> OP_NO_COMPRESSION to prevent it.
> 
>> But shouldn't it then Depend on all of those? Or is it guaranteed that
>> all code that might ever use python-urllib3, will check for these
>> dependencies whenever SSL/TLS is used, and therefore be on the safe side?.
> 
> Of course, it's not guaranteed that all code that might ever use python-
> urllib3 will check for python-ndg-httpsclient, python-openssl and python-
> pyasn1 (well this dipends on how upstream wrote that code), but urllib3 can be 
> used without SSL/TLS at all.
> 
> Debian Policy says about Recomends[¹]:
> 
>    Recommends
> 
>        This declares a strong, but not absolute, dependency.
> 
>        The Recommends field should list packages that would be found together 
>        with this one in all but unusual installations.
> 
> A not so unusual installation can be a service where I use urllib3 without 
> SSL/TSL: in this case I don't need python-ndg-httpsclient, python-openssl and 
> pyasn1.
> 
>> I mean if e.g. openssl would dynamically load libssl and silently default to
>> using aNULL and eNULL ciphersuites only, when it's not present,... one
>> would probably also say "libssl is mandatory, since otherwise security
>> isn't guaranteed".
> 
> I think this example, however, is a bit different. Do you think so?
> You will not use openssl without libssl (I'm considering the use of NULL 
> ciphersuites as not using libssl at all), but you *can* use urllib3 without 
> SSL.
> 
> So, I think Recommends is fine in this case. For more details you can look at 
> this thread on @debian-python:
> 
> https://lists.debian.org/debian-python/2014/06/msg00031.html
> 
> Kind regards,
> 
> -- 
> Daniele Tricoli 'Eriol'
> http://mornie.org

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-modules-team mailing list