[debbugs-tracker] bug#22876: closed (Python can't use https with recent grafts)

[GNU bug Tracking System]

Your message dated Wed, 02 Mar 2016 02:27:52 -0500
with message-id <address@hidden>
and subject line Re: bug#22876: Python can't use https with recent grafts
has caused the debbugs.gnu.org bug report #22876,
regarding Python can't use https with recent grafts
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
22876: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22876
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> Python can't use https with recent grafts
>
>
>
>
> Date: 
>
> Tue, 01 Mar 2016 15:59:24 -0800
>
>
>
>
> User-agent: 
>
> mu4e 0.9.13; emacs 24.5.1
>
>
>
>
> Most of Guix seems to be working just fine with the grafts support and
> grafting of openssl.  However, unlike most grafts that will be done
> probably, this one removes a feature, and that seems to be creating
> problems in Python land.
>
>   >>> from urllib.request import HTTPSHandler
>   Traceback (most recent call last):
>     File "<stdin>", line 1, in <module>
>   ImportError: cannot import name 'HTTPSHandler'
>
> Notably, virtualenv no longer works:
>
>   $ guix environment --ad-hoc python-virtualenv
>   substitute: updating list of substitutes from 'http://hydra.gnu.org'... 100.0%
>   The following derivations will be built:
>      /gnu/store/mcxrh4ba9pf4855kcbdnz654r0xxf86b-profile.drv
>      /gnu/store/ii3ykjkidhz88ycx4p3gi2c7bhhn1vqz-ca-certificate-bundle.drv
>      /gnu/store/h6fzjn70ki8vk3sxd0863vqjwkds1723-info-dir.drv
>
>   $ virtualenv /tmp/try-virtualenv
>   Using base prefix '/gnu/store/1spkp48cbbzg6ic5qkv3qpm3mvsgwkys-python-3.4.3'
>   New python executable in /tmp/try-virtualenv/bin/python
>   Installing setuptools, pip, wheel...
>     Complete output from command /tmp/try-virtualenv/bin/python -c "import sys, 
> pip; sys...d\"] + sys.argv[1:]))" setuptools pip wheel:
>     Traceback (most recent call last):
>     File "<string>", line 1, in <module>
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv_support/pip-7.1.2-py2.py3-none-any.whl/pip/__init__.py",
>  line 15, in <module>
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv_support/pip-7.1.2-py2.py3-none-any.whl/pip/vcs/subversion.py",
>  line 9, in <module>
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv_support/pip-7.1.2-py2.py3-none-any.whl/pip/index.py",
>  line 30, in <module>
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv_support/pip-7.1.2-py2.py3-none-any.whl/pip/wheel.py",
>  line 35, in <module>
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv_support/pip-7.1.2-py2.py3-none-any.whl/pip/_vendor/distlib/scripts.py",
>  line 14, in <module>
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv_support/pip-7.1.2-py2.py3-none-any.whl/pip/_vendor/distlib/compat.py",
>  line 66, in <module>
>   ImportError: cannot import name 'HTTPSHandler'
>   ----------------------------------------
>   ...Installing setuptools, pip, wheel...done.
>   Traceback (most recent call last):
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/bin/.virtualenv-real",
>  line 9, in <module>
>       load_entry_point('virtualenv==13.1.2', 'console_scripts', 'virtualenv')()
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv.py",
>  line 832, in main
>       symlink=options.symlink)
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv.py",
>  line 1004, in create_environment
>       install_wheel(to_install, py_executable, search_dirs)
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv.py",
>  line 969, in install_wheel
>       'PIP_NO_INDEX': '1'
>     File 
> "/gnu/store/h38982xp00s1g95nzr6lws31w8q8njb3-python-virtualenv-13.1.2/lib/python3.4/site-packages/virtualenv-13.1.2-py3.4.egg/virtualenv.py",
>  line 910, in call_subprocess
>       % (cmd_desc, proc.returncode))
>   OSError: Command /tmp/try-virtualenv/bin/python -c "import sys, pip; 
> sys...d\"] + sys.argv[1:]))" setuptools pip wheel failed with error code 1
>
> I'm not really sure this is a problem with the new grafts system.  It
> might just be that a "fix" which tears parts of a library is going to
> cause unexpected problems in some places for ABI incompatibility
> reasons.
>
> Not sure if we should just wait for the world-rebuild or what right
> now...!
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#22876: Python can't use https with recent grafts
>
>
>
>
> Date: 
>
> Wed, 02 Mar 2016 02:27:52 -0500
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/25.0.91 (gnu/linux)
>
>
>
>
> In brief, I believe this is fixed by commit 03a0e682a8 on master.
> See below for details.
>
> Christopher Allan Webber <address@hidden> writes:
>
> > Christopher Allan Webber writes:
> >
> >> Most of Guix seems to be working just fine with the grafts support and
> >> grafting of openssl.  However, unlike most grafts that will be done
> >> probably, this one removes a feature, and that seems to be creating
> >> problems in Python land.
> >>
> >>   >>> from urllib.request import HTTPSHandler
> >>   Traceback (most recent call last):
> >>     File "<stdin>", line 1, in <module>
> >>   ImportError: cannot import name 'HTTPSHandler'
> >
> > As expected, this is for the same reasons offlineimap seemed to have
> > problems:
> >
> >   address@hidden:~/devel/mediagoblin$ python3
> >   Python 3.4.3 (default, Jan  1 1970, 00:00:01) 
> >   [GCC 4.9.3] on linux
> >   Type "help", "copyright", "credits" or "license" for more information.
> >   >>> import ssl
> >   Traceback (most recent call last):
> >     File "<stdin>", line 1, in <module>
> >     File 
> > "/gnu/store/1spkp48cbbzg6ic5qkv3qpm3mvsgwkys-python-3.4.3/lib/python3.4/ssl.py",
> >  line 97, in <module>
> >       import _ssl             # if we can't import it, let the error propagate
> >   ImportError: 
> > /gnu/store/1spkp48cbbzg6ic5qkv3qpm3mvsgwkys-python-3.4.3/lib/python3.4/lib-dynload/_ssl.cpython-34m.so:
> >  undefined symbol: SSLv2_method
> >
> > This leads to my suspicion that it's not really grafting's fault here,
> > it's the *removal* of a piece of code, thus making things
> > abi-incompatible with the system we built.
>
> That's exactly right, and it turns out that Guix is not the only one who
> was bitten by this, e.g.:
>
>   https://bugzilla.redhat.com/show_bug.cgi?id=1313509
>   https://bodhi.fedoraproject.org/updates/openssl-1.0.2g-1.fc23#comment-395291
>   https://forums.gentoo.org/viewtopic-p-7886940.html
>
> I believe this issue is fixed by commit 03a0e682a8 on master.  In my
> tests, I found that it fixes offlineimap, virtualenv, and importing
> HTTPSHandler from urllib.request.
>
> The fix is simply to add "enable-ssl2" to the arguments passed to the
> OpenSSL ./config script.  I concluded that this is safe based on the
> following excerpt from the CHANGES file:
>
>   * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
>     is by default disabled at build-time.  Builds that are not configured with
>     "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
>     users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
>     will need to explicitly call either of:
>
>         SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
>     or
>         SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
>
>     as appropriate.  Even if either of those is used, or the application
>     explicitly uses the version-specific SSLv2_method() or its client and
>     server variants, SSLv2 ciphers vulnerable to exhaustive search key
>     recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
>     ciphers, and SSLv2 56-bit DES are no longer available.
>     (CVE-2016-0800)
>     [Viktor Dukhovni]
>
> Note that the "enable-ssl2" option is only needed when grafting, because
> that's the only case where we need to preserve ABI compatibility.  I've
> verified that 'offlineimap' works on the security-updates branch, where
> openssl-1.0.2g has been updated in the normal way, without grafting and
> without the "enable-ssl2" option.
>
> > Hopefully most grafting situations won't require this.  I think that's
> > right? :)
>
> Yes.  When grafting, we must ensure ABI compatibility.  The mistake here
> was that the ABI of the grafted OpenSSL was different than the one it
> replaced.  Like Fedora and Gentoo, we expected upstream to ensure that
> 1.0.2g was ABI compatible with 1.0.2f.  I believe this was a reasonable
> expectation.
>
> > Is it possible to graft on top of a graft?
>
> Good question, I don't know!  I guess we should test this, for the sake
> of robustness, but on the other hand, I don't see a practical need for
> this feature.  In general, we can simply update the replacement package,
> which is what I've done in 03a0e682a8.
>
> I'm closing this bug, but feel free to re-open it if you find that
> problems remain.
>
>     Thanks!
>       Mark
>
>
> --- End Message ---