Page MenuHomePhabricator

cergen CI fails to run on Debian Stretch because cryptography dependency cannot be built against newer openssl version
Open, MediumPublic

Description

I couldn't find a project for cergen, so putting this in Operations.

When I switched cergen's CI to run on Debian Stretch it started to fail building because of cryptography and the newer openssl version.

The full log is https://integration.wikimedia.org/ci/job/cergen-tox-docker/42/consoleFull

For now I've kept cergen CI on Debian Jessie, but that isn't a long-term sustainable solution.

Event Timeline

Legoktm created this task.Dec 20 2018, 6:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 20 2018, 6:26 AM
hashar added a subscriber: hashar.Dec 20 2018, 7:53 AM

That is due to:

'cryptography>=1.7.0,<2.0.0'

Introduced by @ottomatta with comment:

Require cryptography to be < 2 for use on Debian

And we also have:

'pyOpenSSL>=16.0.0,<17.5.0',

Which I have done via dc4ad6a2ffedebdc285849ff57f4390087760f10

I guess cryptography has an upper limit due to libssl-dev.

This is a bug in python-cryptography which gets exposed since the release of https://lists.debian.org/debian-security-announce/2018/msg00280.html

There's a fixed package at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914591, I'll build that and upload to stretch-wikimedia.

The CI job does not use the Debian package python-cryptography, it is installed via pip:

Collecting cryptography<2.0.0,>=1.7.0 (from cergen==0.2.3)
00:00:44.899   Downloading https://files.pythonhosted.org/packages/2a/0c/31bd69469e90035381f0197b48bf71032991d9f07a7e444c311b4a23a3df/cryptography-1.9.tar.gz (409kB)

And I guess cryptography 1.x are no more maintained.

Could the CI job use the debian package? I guess not?

MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.Jan 22 2020, 10:02 AM
MoritzMuehlenhoff triaged this task as Medium priority.Jan 23 2020, 8:24 AM

This task is from 2018, is that still an issue?