Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-pyotp for openSUSE:Factory checked in at 2023-01-03 15:05:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyotp (Old) and /work/SRC/openSUSE:Factory/.python-pyotp.new.1563 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyotp" Tue Jan 3 15:05:22 2023 rev:6 rq:1046273 version:2.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyotp/python-pyotp.changes 2022-10-14 15:42:07.607877071 +0200 +++ /work/SRC/openSUSE:Factory/.python-pyotp.new.1563/python-pyotp.changes 2023-01-03 15:05:39.734613827 +0100 @@ -1,0 +2,8 @@ +Mon Jan 2 18:54:50 UTC 2023 - Dirk Müller <[email protected]> + +- update to v2.8.0: + * Modify OTP generation to run in constant time + * Documentation improvements + * Drop Python 3.6 support; introduce Python 3.11 support + +------------------------------------------------------------------- Old: ---- pyotp-2.7.0.tar.gz New: ---- pyotp-2.8.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyotp.spec ++++++ --- /var/tmp/diff_new_pack.DIWdHl/_old 2023-01-03 15:05:40.786619967 +0100 +++ /var/tmp/diff_new_pack.DIWdHl/_new 2023-01-03 15:05:40.790619990 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-pyotp # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,13 +19,14 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define skip_python2 1 Name: python-pyotp -Version: 2.7.0 +Version: 2.8.0 Release: 0 Summary: Python One Time Password Library License: MIT Group: Development/Languages/Python -URL: https://github.com/pyotp/pyotp +URL: https://github.com/pyauth/pyotp Source: https://files.pythonhosted.org/packages/source/p/pyotp/pyotp-%{version}.tar.gz +BuildRequires: %{python_module base >= 3.7} BuildRequires: %{python_module devel} BuildRequires: %{python_module setuptools} BuildRequires: fdupes ++++++ pyotp-2.7.0.tar.gz -> pyotp-2.8.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/PKG-INFO new/pyotp-2.8.0/PKG-INFO --- old/pyotp-2.7.0/PKG-INFO 2022-09-11 21:37:58.281352000 +0200 +++ new/pyotp-2.8.0/PKG-INFO 2022-12-14 04:54:21.049833300 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyotp -Version: 2.7.0 +Version: 2.8.0 Summary: Python One Time Password Library Home-page: https://github.com/pyotp/pyotp Author: PyOTP contributors @@ -20,7 +20,7 @@ Classifier: Programming Language :: Python :: 3.9 Classifier: Programming Language :: Python :: 3.10 Classifier: Topic :: Software Development :: Libraries :: Python Modules -Requires-Python: >=3.6 +Requires-Python: >=3.7 License-File: LICENSE PyOTP - The Python One-Time Password Library @@ -45,7 +45,7 @@ - Ensure HOTP/TOTP secret confidentiality by storing secrets in a controlled access database - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen) -- Throttle (rate limit) brute-force attacks against your application's login functionality +- Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) - When implementing a "greenfield" application, consider supporting `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your @@ -80,6 +80,9 @@ ~~~~~~~~~~~~~~~ :: + import pyotp + import time + totp = pyotp.TOTP('base32secret3232') totp.now() # => '492039' @@ -92,6 +95,8 @@ ~~~~~~~~~~~~~~~~~~ :: + import pyotp + hotp = pyotp.HOTP('base32secret3232') hotp.at(0) # => '260182' hotp.at(1) # => '055283' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/README.rst new/pyotp-2.8.0/README.rst --- old/pyotp-2.7.0/README.rst 2022-09-11 20:31:53.000000000 +0200 +++ new/pyotp-2.8.0/README.rst 2022-12-14 04:34:30.000000000 +0100 @@ -20,7 +20,7 @@ - Ensure HOTP/TOTP secret confidentiality by storing secrets in a controlled access database - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen) -- Throttle (rate limit) brute-force attacks against your application's login functionality +- Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) - When implementing a "greenfield" application, consider supporting `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your @@ -55,6 +55,9 @@ ~~~~~~~~~~~~~~~ :: + import pyotp + import time + totp = pyotp.TOTP('base32secret3232') totp.now() # => '492039' @@ -67,6 +70,8 @@ ~~~~~~~~~~~~~~~~~~ :: + import pyotp + hotp = pyotp.HOTP('base32secret3232') hotp.at(0) # => '260182' hotp.at(1) # => '055283' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/setup.py new/pyotp-2.8.0/setup.py --- old/pyotp-2.7.0/setup.py 2022-09-11 21:37:07.000000000 +0200 +++ new/pyotp-2.8.0/setup.py 2022-12-14 04:53:16.000000000 +0100 @@ -4,14 +4,14 @@ setup( name="pyotp", - version="2.7.0", + version="2.8.0", url="https://github.com/pyotp/pyotp";, license="MIT License", author="PyOTP contributors", author_email="[email protected]", description="Python One Time Password Library", long_description=open("README.rst").read(), - python_requires=">=3.6", + python_requires=">=3.7", install_requires=[], packages=["pyotp", "pyotp.contrib"], package_dir={"": "src"}, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/src/pyotp/__init__.py new/pyotp-2.8.0/src/pyotp/__init__.py --- old/pyotp-2.7.0/src/pyotp/__init__.py 2022-09-11 20:53:33.000000000 +0200 +++ new/pyotp-2.8.0/src/pyotp/__init__.py 2022-12-14 04:51:41.000000000 +0100 @@ -41,7 +41,7 @@ secret = None # Data we'll parse to the correct constructor - otp_data = {} # type: Dict[str, Any] + otp_data: Dict[str, Any] = {} # Parse with URLlib parsed_uri = urlparse(unquote(uri)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/src/pyotp/hotp.py new/pyotp-2.8.0/src/pyotp/hotp.py --- old/pyotp-2.7.0/src/pyotp/hotp.py 2022-09-11 20:53:33.000000000 +0200 +++ new/pyotp-2.8.0/src/pyotp/hotp.py 2022-12-14 04:34:30.000000000 +0100 @@ -14,7 +14,7 @@ self, s: str, digits: int = 6, - digest: Any = hashlib.sha1, + digest: Any = None, name: Optional[str] = None, issuer: Optional[str] = None, initial_count: int = 0, @@ -23,10 +23,13 @@ :param s: secret in base32 format :param initial_count: starting HMAC counter value, defaults to 0 :param digits: number of integers in the OTP. Some apps expect this to be 6 digits, others support more. - :param digest: digest function to use in the HMAC (expected to be sha1) + :param digest: digest function to use in the HMAC (expected to be SHA1) :param name: account name :param issuer: issuer """ + if digest is None: + digest = hashlib.sha1 + self.initial_count = initial_count super().__init__(s=s, digits=digits, digest=digest, name=name, issuer=issuer) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/src/pyotp/otp.py new/pyotp-2.8.0/src/pyotp/otp.py --- old/pyotp-2.7.0/src/pyotp/otp.py 2022-09-11 20:53:33.000000000 +0200 +++ new/pyotp-2.8.0/src/pyotp/otp.py 2022-12-14 04:51:41.000000000 +0100 @@ -18,6 +18,8 @@ issuer: Optional[str] = None, ) -> None: self.digits = digits + if digits > 10: + raise ValueError("digits must be no greater than 10") self.digest = digest self.secret = s self.name = name or "Secret" @@ -39,11 +41,8 @@ | (hmac_hash[offset + 2] & 0xFF) << 8 | (hmac_hash[offset + 3] & 0xFF) ) - str_code = str(code % 10**self.digits) - while len(str_code) < self.digits: - str_code = "0" + str_code - - return str_code + str_code = str(10_000_000_000 + (code % 10**self.digits)) + return str_code[-self.digits :] def byte_secret(self) -> bytes: secret = self.secret diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/src/pyotp/totp.py new/pyotp-2.8.0/src/pyotp/totp.py --- old/pyotp-2.7.0/src/pyotp/totp.py 2022-09-11 20:53:33.000000000 +0200 +++ new/pyotp-2.8.0/src/pyotp/totp.py 2022-12-14 04:34:30.000000000 +0100 @@ -17,7 +17,7 @@ self, s: str, digits: int = 6, - digest: Any = hashlib.sha1, + digest: Any = None, name: Optional[str] = None, issuer: Optional[str] = None, interval: int = 30, @@ -26,10 +26,13 @@ :param s: secret in base32 format :param interval: the time interval in seconds for OTP. This defaults to 30. :param digits: number of integers in the OTP. Some apps expect this to be 6 digits, others support more. - :param digest: digest function to use in the HMAC (expected to be sha1) + :param digest: digest function to use in the HMAC (expected to be SHA1) :param name: account name :param issuer: issuer """ + if digest is None: + digest = hashlib.sha1 + self.interval = interval super().__init__(s=s, digits=digits, digest=digest, name=name, issuer=issuer) @@ -37,7 +40,9 @@ """ Accepts either a Unix timestamp integer or a datetime object. - To get the time until the next timecode change (seconds until the current OTP expires), use this instead:: + To get the time until the next timecode change (seconds until the current OTP expires), use this instead: + + .. code:: python totp = pyotp.TOTP(...) time_remaining = totp.interval - datetime.datetime.now().timestamp() % totp.interval diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/src/pyotp/utils.py new/pyotp-2.8.0/src/pyotp/utils.py --- old/pyotp-2.7.0/src/pyotp/utils.py 2022-09-11 20:53:33.000000000 +0200 +++ new/pyotp-2.8.0/src/pyotp/utils.py 2022-12-14 04:51:41.000000000 +0100 @@ -49,7 +49,7 @@ otp_type = "hotp" if is_initial_count_present else "totp" base_uri = "otpauth://{0}/{1}?{2}" - url_args = {"secret": secret} # type: Dict[str, Union[None, int, str]] + url_args: Dict[str, Union[None, int, str]] = {"secret": secret} label = quote(name) if issuer is not None: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.7.0/src/pyotp.egg-info/PKG-INFO new/pyotp-2.8.0/src/pyotp.egg-info/PKG-INFO --- old/pyotp-2.7.0/src/pyotp.egg-info/PKG-INFO 2022-09-11 21:37:58.000000000 +0200 +++ new/pyotp-2.8.0/src/pyotp.egg-info/PKG-INFO 2022-12-14 04:54:21.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyotp -Version: 2.7.0 +Version: 2.8.0 Summary: Python One Time Password Library Home-page: https://github.com/pyotp/pyotp Author: PyOTP contributors @@ -20,7 +20,7 @@ Classifier: Programming Language :: Python :: 3.9 Classifier: Programming Language :: Python :: 3.10 Classifier: Topic :: Software Development :: Libraries :: Python Modules -Requires-Python: >=3.6 +Requires-Python: >=3.7 License-File: LICENSE PyOTP - The Python One-Time Password Library @@ -45,7 +45,7 @@ - Ensure HOTP/TOTP secret confidentiality by storing secrets in a controlled access database - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen) -- Throttle (rate limit) brute-force attacks against your application's login functionality +- Throttle (rate limit) brute-force attacks against your application's login functionality (see RFC 4226, section 7.3) - When implementing a "greenfield" application, consider supporting `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your @@ -80,6 +80,9 @@ ~~~~~~~~~~~~~~~ :: + import pyotp + import time + totp = pyotp.TOTP('base32secret3232') totp.now() # => '492039' @@ -92,6 +95,8 @@ ~~~~~~~~~~~~~~~~~~ :: + import pyotp + hotp = pyotp.HOTP('base32secret3232') hotp.at(0) # => '260182' hotp.at(1) # => '055283'
