Page MenuHomePhabricator
Create Task
Maniphest T103769

requests emits InsecurePlatformWarning
Closed, ResolvedPublic
Actions

Description

The switch from httplib2 to requests has resulted in a lot of InsecurePlatformWarnings, appearing in ordinary usage but especially in the test suite.

Also it appears that this causes additional problems on Python 2.6 within the test framework's deprecation system.

Details

SubjectRepoBranchLines +/-
remove filename deprecation workaroundpywikibot/coremaster+0 -4
[FIX] InsecurePlatformWarning on Python <2.7.9pywikibot/coremaster+31 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

jayvdb created this task.Jun 25 2015, 12:53 AM
jayvdb raised the priority of this task from to High.
jayvdb updated the task description. (Show Details)
jayvdb added projects: Pywikibot-tests, Pywikibot, Pywikibot-OAuth.
jayvdb added subscribers: XZise, gerritbot, Aklapper and 2 others.
gerritbot added a comment.Jun 25 2015, 12:53 AM

Change 220388 had a related patch set uploaded (by John Vandenberg):
Add extra dependencies to fix InsecurePlatformWarning on Python <2.7.9

https://gerrit.wikimedia.org/r/220388

gerritbot added a project: Patch-For-Review.Jun 25 2015, 12:53 AM
jayvdb added a comment.Jun 25 2015, 2:03 AM

If possible, we should be adding the 'security'(or betterssl) extra when we specify the requests dependency, as that should add all the necessary dependencies. They changed the name fairly recently (https://github.com/kennethreitz/requests/commit/958845ae35cee1fa15acc14b5691d787e8bed9bb), but that shouldnt be a problem unless we specify minimum versions of requests.

If requests doesnt add all the appropriate dependencies, those optional dependencies should be added to the requests setup.py, tracking the upstream problem here.

jayvdb mentioned this in T103775: Python requests[security] requires libffi which isnt on the CI workers.Jun 25 2015, 2:06 AM
jayvdb moved this task from Backlog to requests on the Pywikibot-OAuth board.Jun 30 2015, 3:44 AM
jayvdb assigned this task to VcamX.Jul 4 2015, 8:17 AM
jayvdb raised the priority of this task from High to Unbreak Now!.
jayvdb set Security to None.
jayvdb added a subscriber: Legoktm.Jul 4 2015, 8:21 AM

This keeps causing our Travis builds to be 'red', as the Python 2.6 builds fail due to T102365: test deprecation filename problems.
https://travis-ci.org/wikimedia/pywikibot-core/jobs/69518249
https://travis-ci.org/wikimedia/pywikibot-core/jobs/69519309
@VcamX, can you please pick up @Legoktm 's patch and get it merged.

jayvdb added a project: Pywikibot-network.Jul 4 2015, 8:28 AM
VcamX added a comment.Jul 6 2015, 1:40 PM

@jayvdb, so T102365 is my first step?

XZise added a comment.Jul 6 2015, 1:45 PM

It's the other way around. I'm not sure if we know but at least I guess the errors in T102365 are happening because of the warning shown here. And it then complains that the warning is not happening wherever the deprecated method is executed but somewhere else (although it actually checked the wrong warning). So when you get the warning here fixed so that it doesn't get emitted it wouldn't test the InsecurePlatformWarning and it should actually compare the deprecation warning.

jayvdb added a comment.Jul 6 2015, 1:56 PM

@VcamX , https://gerrit.wikimedia.org/r/220388 needs to be polished - when that is merged, most of the T102365 problems will disappear.

VcamX added a comment.Jul 11 2015, 7:10 AM

@XZise I agree with you.
I think @Legoktm's patch could fix InsecurePlatformWarning. But it also emits two new DeprecationWarning:

/Users/VcamX/Documents/workspace/core/env/lib/python2.6/site-packages/cryptography/__init__.py:25: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python.
  DeprecationWarning
WARNING: /Users/VcamX/Documents/workspace/core/env/lib/python2.6/site-packages/requests/packages/urllib3/contrib/pyopenssl.py:198: DeprecationWarning: unicode for buf is no longer accepted, use bytes
  return self.connection.send(data)

The cryptography's deprecation warning could be depressed by using its 0.8.2 version (the latest is 0.9.3) which doesn't warn that we're using 2.6. But I don't think it's a good solution. It has many changes in its latest version: CHANGELOG

I think the second deprecation warnnig is caused by sending unicode data: https://github.com/pyca/pyopenssl/blob/master/OpenSSL/SSL.py#L1261, https://github.com/pyca/pyopenssl/blob/master/OpenSSL/_util.py#L107
We may encode data using utf-8 by ourselves in _http_process of comms/http.py. This is unconfirmed. I'm working on it.

XZise added a subscriber: valhallasw.Jul 11 2015, 9:27 AM

I disagree that we should just blindly encode data using UTF-8. Instead we should make sure that our requests just contains binary data and no unicode strings. @valhallasw has two patches which should make sure of that. Maybe you could test it with that.

Regarding the other warning I'm not sure what the best handling there is. Some OS only support Python 2.6 but these might provide packages which don't emit that warning.

jayvdb added a comment.Jul 11 2015, 10:57 AM
In T103769#1447147, @XZise wrote:

I disagree that we should just blindly encode data using UTF-8. Instead we should make sure that our requests just contains binary data and no unicode strings. @valhallasw has two patches which should make sure of that. Maybe you could test it with that.

Regarding the other warning I'm not sure what the best handling there is. Some OS only support Python 2.6 but these might provide packages which don't emit that warning.

I think only RHEL is a 'supported' Python 2.6 platform. So wrt to the Travis-CI problems on Python 2.6, we could try to emulate RHEL Python 2.6 by using the versions provided by RHEL at:
http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/

i.e. python-ipaddr-2.1.9 (see T105443), python-crypto-2.0.1 , python-pyasn1-0.0.12a, but I do not see a python-requests in that list.

VcamX added a comment.Jul 12 2015, 6:50 AM

@XZise Do you mean these two patches?
https://gerrit.wikimedia.org/r/#/c/211646/
https://gerrit.wikimedia.org/r/#/c/211522/

XZise added a comment.Jul 12 2015, 7:37 AM

Yep.

gerritbot added a comment.Jul 16 2015, 10:32 AM

Change 220388 merged by jenkins-bot:
[FIX] InsecurePlatformWarning on Python <2.7.9

https://gerrit.wikimedia.org/r/220388

VcamX mentioned this in rPWBCa50e21ab46c7: [FIX] InsecurePlatformWarning on Python <2.7.9.Jul 16 2015, 10:34 AM
XZise added a comment.Jul 16 2015, 2:27 PM

@VcamX: you added in PS7 of the requests patch an additional condition for our tests. I guess this not necessary anymore (and it would test that the patch works)?

VcamX added a comment.Jul 16 2015, 5:53 PM

@XZise Okay, I'll send a new patch for that.

VcamX mentioned this in rPWBCbce6abffe55a: Remove unnecessary command args in execute_pwb.Jul 17 2015, 5:19 AM
jayvdb closed this task as Resolved.Jul 17 2015, 4:54 PM
gerritbot added a comment.Jul 19 2015, 12:05 AM

Change 225666 had a related patch set uploaded (by John Vandenberg):
remove filename deprecation workaround

https://gerrit.wikimedia.org/r/225666

gerritbot added a comment.Jul 19 2015, 11:36 AM

Change 225666 merged by jenkins-bot:
remove filename deprecation workaround

https://gerrit.wikimedia.org/r/225666

jayvdb mentioned this in rPWBC44c82edc2901: remove filename deprecation workaround.Jul 19 2015, 11:36 AM
VcamX mentioned this in T101921: Weekly reports for "Implement OAuth Support for Pywikibot".Jul 20 2015, 4:54 AM
jayvdb mentioned this in T108061: Python 2.6 using cryptography package 0.8.2.Aug 5 2015, 4:54 PM
jayvdb closed subtask T108061: Python 2.6 using cryptography package 0.8.2 as Resolved.Sep 26 2015, 12:02 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL