Hello community, here is the log from the commit of package python-pyotp for openSUSE:Factory checked in at 2019-07-31 14:29:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyotp (Old) and /work/SRC/openSUSE:Factory/.python-pyotp.new.4126 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyotp" Wed Jul 31 14:29:24 2019 rev:2 rq:719837 version:2.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyotp/python-pyotp.changes 2019-03-26 22:34:10.153680491 +0100 +++ /work/SRC/openSUSE:Factory/.python-pyotp.new.4126/python-pyotp.changes 2019-07-31 14:29:33.746073441 +0200 @@ -1,0 +2,8 @@ +Tue Jul 30 12:00:33 UTC 2019 - [email protected] + +- version update to 2.3.0 + * Fix comparison behavior on Python 2.7 + * Fix comparison of unicode chars (#78) + * Minor documentation and test fixes + +------------------------------------------------------------------- Old: ---- pyotp-2.2.7.tar.gz New: ---- pyotp-2.3.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyotp.spec ++++++ --- /var/tmp/diff_new_pack.d9syjx/_old 2019-07-31 14:29:34.446072875 +0200 +++ /var/tmp/diff_new_pack.d9syjx/_new 2019-07-31 14:29:34.450072871 +0200 @@ -18,7 +18,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-pyotp -Version: 2.2.7 +Version: 2.3.0 Release: 0 Summary: Python One Time Password Library License: MIT ++++++ pyotp-2.2.7.tar.gz -> pyotp-2.3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.2.7/PKG-INFO new/pyotp-2.3.0/PKG-INFO --- old/pyotp-2.2.7/PKG-INFO 2018-11-06 01:23:49.000000000 +0100 +++ new/pyotp-2.3.0/PKG-INFO 2019-07-26 19:00:12.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: pyotp -Version: 2.2.7 +Version: 2.3.0 Summary: Python One Time Password Library Home-page: https://github.com/pyotp/pyotp Author: PyOTP contributors @@ -29,14 +29,16 @@ - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen) - Throttle brute-force attacks against your application's login functionality - - When implementing a "green field" application, consider supporting - `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_ in addition to HOTP/TOTP. U2F uses asymmetric - cryptography to avoid using a shared secret design, which strengthens your MFA solution against server-side compromise. - Hardware U2F also sequesters the client secret in a dedicated single-purpose device, which strengthens your clients - against client-side compromise. + - When implementing a "greenfield" application, consider supporting + `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in + addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your + MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a dedicated single-purpose + device, which strengthens your clients against client-side attacks. And by automating scoping of credentials to + relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. One implementation of + FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. We also recommend that implementers read the - `OWASP Authentication Cheat Sheet <https://www.owasp.org/index.php/Authentication_Cheat_Sheet>`_ and + `OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ and `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ for a high level overview of authentication best practices. @@ -110,7 +112,7 @@ Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): - .. image:: http://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP + .. image:: https://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP Now run the following and compare the output:: @@ -129,9 +131,14 @@ * `RFC 6238: TOTP: Time-Based One-Time Password Algorithm <https://tools.ietf.org/html/rfc6238>`_ * `ROTP <https://github.com/mdp/rotp>`_ - Original Ruby OTP library by `Mark Percival <https://github.com/mdp>`_ * `OTPHP <https://github.com/lelag/otphp>`_ - PHP port of ROTP by `Le Lag <https://github.com/lelag>`_ - * `OWASP Authentication Cheat Sheet <https://www.owasp.org/index.php/Authentication_Cheat_Sheet>`_ + * `OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ * `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ + For new applications: + + * `WebAuthn <https://www.w3.org/TR/webauthn/>`_ + * `PyWARP <https://github.com/pyauth/pywarp>`_ + .. image:: https://img.shields.io/travis/pyotp/pyotp.svg :target: https://travis-ci.org/pyotp/pyotp .. image:: https://img.shields.io/codecov/c/github/pyotp/pyotp/master.svg @@ -151,6 +158,8 @@ Classifier: Operating System :: POSIX Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2.7 -Classifier: Programming Language :: Python :: 3.3 Classifier: Programming Language :: Python :: 3.4 +Classifier: Programming Language :: Python :: 3.5 +Classifier: Programming Language :: Python :: 3.6 +Classifier: Programming Language :: Python :: 3.7 Classifier: Topic :: Software Development :: Libraries :: Python Modules diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.2.7/README.rst new/pyotp-2.3.0/README.rst --- old/pyotp-2.2.7/README.rst 2018-11-06 00:46:27.000000000 +0100 +++ new/pyotp-2.3.0/README.rst 2019-07-26 18:44:42.000000000 +0200 @@ -21,14 +21,16 @@ - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen) - Throttle brute-force attacks against your application's login functionality -- When implementing a "green field" application, consider supporting - `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_ in addition to HOTP/TOTP. U2F uses asymmetric - cryptography to avoid using a shared secret design, which strengthens your MFA solution against server-side compromise. - Hardware U2F also sequesters the client secret in a dedicated single-purpose device, which strengthens your clients - against client-side compromise. +- When implementing a "greenfield" application, consider supporting + `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in + addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your + MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a dedicated single-purpose + device, which strengthens your clients against client-side attacks. And by automating scoping of credentials to + relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. One implementation of + FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. We also recommend that implementers read the -`OWASP Authentication Cheat Sheet <https://www.owasp.org/index.php/Authentication_Cheat_Sheet>`_ and +`OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ and `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ for a high level overview of authentication best practices. @@ -102,7 +104,7 @@ Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): -.. image:: http://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP +.. image:: https://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP Now run the following and compare the output:: @@ -121,9 +123,14 @@ * `RFC 6238: TOTP: Time-Based One-Time Password Algorithm <https://tools.ietf.org/html/rfc6238>`_ * `ROTP <https://github.com/mdp/rotp>`_ - Original Ruby OTP library by `Mark Percival <https://github.com/mdp>`_ * `OTPHP <https://github.com/lelag/otphp>`_ - PHP port of ROTP by `Le Lag <https://github.com/lelag>`_ -* `OWASP Authentication Cheat Sheet <https://www.owasp.org/index.php/Authentication_Cheat_Sheet>`_ +* `OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ * `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ +For new applications: + +* `WebAuthn <https://www.w3.org/TR/webauthn/>`_ +* `PyWARP <https://github.com/pyauth/pywarp>`_ + .. image:: https://img.shields.io/travis/pyotp/pyotp.svg :target: https://travis-ci.org/pyotp/pyotp .. image:: https://img.shields.io/codecov/c/github/pyotp/pyotp/master.svg diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.2.7/setup.py new/pyotp-2.3.0/setup.py --- old/pyotp-2.2.7/setup.py 2018-11-06 01:22:58.000000000 +0100 +++ new/pyotp-2.3.0/setup.py 2019-07-26 18:59:59.000000000 +0200 @@ -7,7 +7,7 @@ setup( name="pyotp", - version="2.2.7", + version="2.3.0", url="https://github.com/pyotp/pyotp";, license="MIT License", author="PyOTP contributors", @@ -27,8 +27,10 @@ "Operating System :: POSIX", "Programming Language :: Python", "Programming Language :: Python :: 2.7", - "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", + "Programming Language :: Python :: 3.5", + "Programming Language :: Python :: 3.6", + "Programming Language :: Python :: 3.7", "Topic :: Software Development :: Libraries :: Python Modules" ] ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.2.7/src/pyotp/utils.py new/pyotp-2.3.0/src/pyotp/utils.py --- old/pyotp-2.2.7/src/pyotp/utils.py 2018-11-06 01:18:18.000000000 +0100 +++ new/pyotp-2.3.0/src/pyotp/utils.py 2019-07-26 18:58:24.000000000 +0200 @@ -106,4 +106,4 @@ """ s1 = unicodedata.normalize('NFKC', s1) s2 = unicodedata.normalize('NFKC', s2) - return compare_digest(s1, s2) + return compare_digest(s1.encode("utf-8"), s2.encode("utf-8")) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.2.7/src/pyotp.egg-info/PKG-INFO new/pyotp-2.3.0/src/pyotp.egg-info/PKG-INFO --- old/pyotp-2.2.7/src/pyotp.egg-info/PKG-INFO 2018-11-06 01:23:49.000000000 +0100 +++ new/pyotp-2.3.0/src/pyotp.egg-info/PKG-INFO 2019-07-26 19:00:12.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: pyotp -Version: 2.2.7 +Version: 2.3.0 Summary: Python One Time Password Library Home-page: https://github.com/pyotp/pyotp Author: PyOTP contributors @@ -29,14 +29,16 @@ - Deny replay attacks by rejecting one-time passwords that have been used by the client (this requires storing the most recently authenticated timestamp, OTP, or hash of the OTP in your database, and rejecting the OTP when a match is seen) - Throttle brute-force attacks against your application's login functionality - - When implementing a "green field" application, consider supporting - `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_ in addition to HOTP/TOTP. U2F uses asymmetric - cryptography to avoid using a shared secret design, which strengthens your MFA solution against server-side compromise. - Hardware U2F also sequesters the client secret in a dedicated single-purpose device, which strengthens your clients - against client-side compromise. + - When implementing a "greenfield" application, consider supporting + `FIDO U2F <https://en.wikipedia.org/wiki/Universal_2nd_Factor>`_/`WebAuthn <https://www.w3.org/TR/webauthn/>`_ in + addition to HOTP/TOTP. U2F uses asymmetric cryptography to avoid using a shared secret design, which strengthens your + MFA solution against server-side attacks. Hardware U2F also sequesters the client secret in a dedicated single-purpose + device, which strengthens your clients against client-side attacks. And by automating scoping of credentials to + relying party IDs (application origin/domain names), U2F adds protection against phishing attacks. One implementation of + FIDO U2F/WebAuthn is PyOTP's sister project, `PyWARP <https://github.com/pyauth/pywarp>`_. We also recommend that implementers read the - `OWASP Authentication Cheat Sheet <https://www.owasp.org/index.php/Authentication_Cheat_Sheet>`_ and + `OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ and `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ for a high level overview of authentication best practices. @@ -110,7 +112,7 @@ Scan the following barcode with your phone's OTP app (e.g. Google Authenticator): - .. image:: http://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP + .. image:: https://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP Now run the following and compare the output:: @@ -129,9 +131,14 @@ * `RFC 6238: TOTP: Time-Based One-Time Password Algorithm <https://tools.ietf.org/html/rfc6238>`_ * `ROTP <https://github.com/mdp/rotp>`_ - Original Ruby OTP library by `Mark Percival <https://github.com/mdp>`_ * `OTPHP <https://github.com/lelag/otphp>`_ - PHP port of ROTP by `Le Lag <https://github.com/lelag>`_ - * `OWASP Authentication Cheat Sheet <https://www.owasp.org/index.php/Authentication_Cheat_Sheet>`_ + * `OWASP Authentication Cheat Sheet <https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>`_ * `NIST SP 800-63-3: Digital Authentication Guideline <https://pages.nist.gov/800-63-3/>`_ + For new applications: + + * `WebAuthn <https://www.w3.org/TR/webauthn/>`_ + * `PyWARP <https://github.com/pyauth/pywarp>`_ + .. image:: https://img.shields.io/travis/pyotp/pyotp.svg :target: https://travis-ci.org/pyotp/pyotp .. image:: https://img.shields.io/codecov/c/github/pyotp/pyotp/master.svg @@ -151,6 +158,8 @@ Classifier: Operating System :: POSIX Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 2.7 -Classifier: Programming Language :: Python :: 3.3 Classifier: Programming Language :: Python :: 3.4 +Classifier: Programming Language :: Python :: 3.5 +Classifier: Programming Language :: Python :: 3.6 +Classifier: Programming Language :: Python :: 3.7 Classifier: Topic :: Software Development :: Libraries :: Python Modules diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyotp-2.2.7/test.py new/pyotp-2.3.0/test.py --- old/pyotp-2.2.7/test.py 2017-06-10 18:12:42.000000000 +0200 +++ new/pyotp-2.3.0/test.py 2019-07-26 18:44:42.000000000 +0200 @@ -261,6 +261,9 @@ def test_fullwidth_input(self): self.assertTrue(self.method("xs12345", "xs12345")) + def test_unicode_equal(self): + self.assertTrue(self.method("ěšč45", "ěšč45")) + class CounterOffsetTest(unittest.TestCase): def test_counter_offset(self):
