This is an automated email from the ASF dual-hosted git repository. sbp pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 85bc17791b1fa2aee6092e866f53c540c7126d2a Author: Sean B. Palmer <[email protected]> AuthorDate: Fri Jan 16 17:31:16 2026 +0000 Remove the dependency on PyNaCl due to CVE-2025-69277 --- atr/log.py | 40 ++++++++++++++++++++-------------------- pyproject.toml | 2 +- uv.lock | 29 +---------------------------- 3 files changed, 22 insertions(+), 49 deletions(-) diff --git a/atr/log.py b/atr/log.py index e121c20..8dca4ac 100644 --- a/atr/log.py +++ b/atr/log.py @@ -133,26 +133,26 @@ def python_repr(object_name: str) -> str: return f"<{object_name}>" -def secret(msg: str, data: bytes) -> None: - import base64 - - import nacl.encoding as encoding - import nacl.public as public - - import atr.config as config - - conf = config.get() - public_key_b64 = conf.LOG_PUBLIC_KEY - if public_key_b64 is None: - raise ValueError("LOG_PUBLIC_KEY is not set") - - recipient_pk = public.PublicKey( - public_key_b64.encode("ascii"), - encoder=encoding.Base64Encoder, - ) - ciphertext = public.SealedBox(recipient_pk).encrypt(data) - encoded_ciphertext = base64.b64encode(ciphertext).decode("ascii") - _event(logging.INFO, f"{msg} {encoded_ciphertext}") +# def secret(msg: str, data: bytes) -> None: +# import base64 + +# import nacl.encoding as encoding +# import nacl.public as public + +# import atr.config as config + +# conf = config.get() +# public_key_b64 = conf.LOG_PUBLIC_KEY +# if public_key_b64 is None: +# raise ValueError("LOG_PUBLIC_KEY is not set") + +# recipient_pk = public.PublicKey( +# public_key_b64.encode("ascii"), +# encoder=encoding.Base64Encoder, +# ) +# ciphertext = public.SealedBox(recipient_pk).encrypt(data) +# encoded_ciphertext = base64.b64encode(ciphertext).decode("ascii") +# _event(logging.INFO, f"{msg} {encoded_ciphertext}") def warning(msg: str) -> None: diff --git a/pyproject.toml b/pyproject.toml index e7efc51..7d42d65 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -39,7 +39,7 @@ dependencies = [ "puremagic>=1.30", "pydantic-xml (>=2.17.2,<3.0.0)", "pyjwt (>=2.10.1,<3.0.0)", - "pynacl>=1.5.0", + # "pynacl>=1.5.0", "python-decouple~=3.8", "python-gnupg~=0.5", "quart-schema[pydantic]~=0.21", diff --git a/uv.lock b/uv.lock index 6359ff9..e95a51b 100644 --- a/uv.lock +++ b/uv.lock @@ -3,7 +3,7 @@ revision = 3 requires-python = "==3.13.*" [options] -exclude-newer = "2026-01-16T14:26:33Z" +exclude-newer = "2026-01-16T17:38:55Z" [[package]] name = "aiofiles" @@ -1351,31 +1351,6 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/61/ad/689f02752eeec26aed679477e80e632ef1b682313be70793d798c1d5fc8f/PyJWT-2.10.1-py3-none-any.whl";, hash = "sha256:dcdd193e30abefd5debf142f9adfcdd2b58004e644f25406ffaebd50bd98dacb", size = 22997, upload-time = "2024-11-28T03:43:27.893Z" }, ] -[[package]] -name = "pynacl" -version = "1.6.0" -source = { registry = "https://pypi.org/simple"; } -dependencies = [ - { name = "cffi", marker = "platform_python_implementation != 'PyPy'" }, -] -sdist = { url = "https://files.pythonhosted.org/packages/06/c6/a3124dee667a423f2c637cfd262a54d67d8ccf3e160f3c50f622a85b7723/pynacl-1.6.0.tar.gz";, hash = "sha256:cb36deafe6e2bce3b286e5d1f3e1c246e0ccdb8808ddb4550bb2792f2df298f2", size = 3505641, upload-time = "2025-09-10T23:39:22.308Z" } -wheels = [ - { url = "https://files.pythonhosted.org/packages/63/37/87c72df19857c5b3b47ace6f211a26eb862ada495cc96daa372d96048fca/pynacl-1.6.0-cp38-abi3-macosx_10_10_universal2.whl";, hash = "sha256:f4b3824920e206b4f52abd7de621ea7a44fd3cb5c8daceb7c3612345dfc54f2e", size = 382610, upload-time = "2025-09-10T23:38:49.459Z" }, - { url = "https://files.pythonhosted.org/packages/0c/64/3ce958a5817fd3cc6df4ec14441c43fd9854405668d73babccf77f9597a3/pynacl-1.6.0-cp38-abi3-manylinux2014_aarch64.manylinux_2_17_aarch64.whl";, hash = "sha256:16dd347cdc8ae0b0f6187a2608c0af1c8b7ecbbe6b4a06bff8253c192f696990", size = 798744, upload-time = "2025-09-10T23:38:58.531Z" }, - { url = "https://files.pythonhosted.org/packages/e4/8a/3f0dd297a0a33fa3739c255feebd0206bb1df0b44c52fbe2caf8e8bc4425/pynacl-1.6.0-cp38-abi3-manylinux2014_x86_64.manylinux_2_17_x86_64.whl";, hash = "sha256:16c60daceee88d04f8d41d0a4004a7ed8d9a5126b997efd2933e08e93a3bd850", size = 1397879, upload-time = "2025-09-10T23:39:00.44Z" }, - { url = "https://files.pythonhosted.org/packages/41/94/028ff0434a69448f61348d50d2c147dda51aabdd4fbc93ec61343332174d/pynacl-1.6.0-cp38-abi3-manylinux_2_26_aarch64.manylinux_2_28_aarch64.whl";, hash = "sha256:25720bad35dfac34a2bcdd61d9e08d6bfc6041bebc7751d9c9f2446cf1e77d64", size = 833907, upload-time = "2025-09-10T23:38:50.936Z" }, - { url = "https://files.pythonhosted.org/packages/52/bc/a5cff7f8c30d5f4c26a07dfb0bcda1176ab8b2de86dda3106c00a02ad787/pynacl-1.6.0-cp38-abi3-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl";, hash = "sha256:8bfaa0a28a1ab718bad6239979a5a57a8d1506d0caf2fba17e524dbb409441cf", size = 1436649, upload-time = "2025-09-10T23:38:52.783Z" }, - { url = "https://files.pythonhosted.org/packages/7a/20/c397be374fd5d84295046e398de4ba5f0722dc14450f65db76a43c121471/pynacl-1.6.0-cp38-abi3-manylinux_2_34_aarch64.whl";, hash = "sha256:ef214b90556bb46a485b7da8258e59204c244b1b5b576fb71848819b468c44a7", size = 817142, upload-time = "2025-09-10T23:38:54.4Z" }, - { url = "https://files.pythonhosted.org/packages/12/30/5efcef3406940cda75296c6d884090b8a9aad2dcc0c304daebb5ae99fb4a/pynacl-1.6.0-cp38-abi3-manylinux_2_34_x86_64.whl";, hash = "sha256:49c336dd80ea54780bcff6a03ee1a476be1612423010472e60af83452aa0f442", size = 1401794, upload-time = "2025-09-10T23:38:56.614Z" }, - { url = "https://files.pythonhosted.org/packages/be/e1/a8fe1248cc17ccb03b676d80fa90763760a6d1247da434844ea388d0816c/pynacl-1.6.0-cp38-abi3-musllinux_1_1_aarch64.whl";, hash = "sha256:f3482abf0f9815e7246d461fab597aa179b7524628a4bc36f86a7dc418d2608d", size = 772161, upload-time = "2025-09-10T23:39:01.93Z" }, - { url = "https://files.pythonhosted.org/packages/a3/76/8a62702fb657d6d9104ce13449db221a345665d05e6a3fdefb5a7cafd2ad/pynacl-1.6.0-cp38-abi3-musllinux_1_1_x86_64.whl";, hash = "sha256:140373378e34a1f6977e573033d1dd1de88d2a5d90ec6958c9485b2fd9f3eb90", size = 1370720, upload-time = "2025-09-10T23:39:03.531Z" }, - { url = "https://files.pythonhosted.org/packages/6d/38/9e9e9b777a1c4c8204053733e1a0269672c0bd40852908c9ad6b6eaba82c/pynacl-1.6.0-cp38-abi3-musllinux_1_2_aarch64.whl";, hash = "sha256:6b393bc5e5a0eb86bb85b533deb2d2c815666665f840a09e0aa3362bb6088736", size = 791252, upload-time = "2025-09-10T23:39:05.058Z" }, - { url = "https://files.pythonhosted.org/packages/63/ef/d972ce3d92ae05c9091363cf185e8646933f91c376e97b8be79ea6e96c22/pynacl-1.6.0-cp38-abi3-musllinux_1_2_x86_64.whl";, hash = "sha256:4a25cfede801f01e54179b8ff9514bd7b5944da560b7040939732d1804d25419", size = 1362910, upload-time = "2025-09-10T23:39:06.924Z" }, - { url = "https://files.pythonhosted.org/packages/35/2c/ee0b373a1861f66a7ca8bdb999331525615061320dd628527a50ba8e8a60/pynacl-1.6.0-cp38-abi3-win32.whl";, hash = "sha256:dcdeb41c22ff3c66eef5e63049abf7639e0db4edee57ba70531fc1b6b133185d", size = 226461, upload-time = "2025-09-10T23:39:11.894Z" }, - { url = "https://files.pythonhosted.org/packages/75/f7/41b6c0b9dd9970173b6acc026bab7b4c187e4e5beef2756d419ad65482da/pynacl-1.6.0-cp38-abi3-win_amd64.whl";, hash = "sha256:cf831615cc16ba324240de79d925eacae8265b7691412ac6b24221db157f6bd1", size = 238802, upload-time = "2025-09-10T23:39:08.966Z" }, - { url = "https://files.pythonhosted.org/packages/8e/0f/462326910c6172fa2c6ed07922b22ffc8e77432b3affffd9e18f444dbfbb/pynacl-1.6.0-cp38-abi3-win_arm64.whl";, hash = "sha256:84709cea8f888e618c21ed9a0efdb1a59cc63141c403db8bf56c469b71ad56f2", size = 183846, upload-time = "2025-09-10T23:39:10.552Z" }, -] - [[package]] name = "pyright" version = "1.1.408" @@ -1861,7 +1836,6 @@ dependencies = [ { name = "puremagic" }, { name = "pydantic-xml" }, { name = "pyjwt" }, - { name = "pynacl" }, { name = "python-decouple" }, { name = "python-gnupg" }, { name = "quart-schema", extra = ["pydantic"] }, @@ -1921,7 +1895,6 @@ requires-dist = [ { name = "puremagic", specifier = ">=1.30" }, { name = "pydantic-xml", specifier = ">=2.17.2,<3.0.0" }, { name = "pyjwt", specifier = ">=2.10.1,<3.0.0" }, - { name = "pynacl", specifier = ">=1.5.0" }, { name = "python-decouple", specifier = "~=3.8" }, { name = "python-gnupg", specifier = "~=0.5" }, { name = "quart-schema", extras = ["pydantic"], specifier = "~=0.21" }, --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
