If running under -O[O] is a supported configuration for Cryptography now, is there a plan to migrate to something other than py.test so that the test suite can meaningfully execute in that environment as well? My usual assumption is that any Python with 'assert's in its test suite implicitly assumes this option will never be used.
If running the test suite is impossible in such an interpreter, then perhaps it would be better to detect this configuration and fail hard, rather than piecemeal supporting bits of it, especially if bugs like this potentially cause security issues. -glyph > On Sep 27, 2015, at 7:07 AM, Paul Kehrer <paul.l.keh...@gmail.com> wrote: > > PyCA cryptography 1.0.2 has been released. This release contains a security > fix that affects anyone running python with -O. > > Changelog: > > * SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of > assertions to check response codes where our tests could not trigger a > failure. However, when Python is run with -O these asserts are optimized > away. If a user ran Python with this flag and got an invalid response code > this could result in undefined behavior or worse. Accordingly, all response > checks from the OpenSSL backend have been converted from assert to a true > function call. Credit Emilia Käsper (Google Security Team) for the report. > > -Paul Kehrer (reaperhulk) > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev@python.org <mailto:Cryptography-dev@python.org> > https://mail.python.org/mailman/listinfo/cryptography-dev > <https://mail.python.org/mailman/listinfo/cryptography-dev>
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
