IMHO we should just change flask-openid to not import these utility 
functions from pycrypto. I would have patched it myself if there were an 
easy way, but its a tarball inside the sagenb tarball...

On Sunday, June 8, 2014 5:16:47 PM UTC+1, leif wrote:
>
> Volker Braun wrote: 
> > Neat, but the flask openid shouldn't and doesn't implement SSL using 
> > pycrytpo. Looking at the source, what triggers the warning is 
> > 
> > from Crypto.Util.number import long_to_bytes, bytes_to_long 
> > 
> > which is used by flask-openid to serialize data to disk. 
>
> Still, should we somehow silence the warning (probably by patching our 
> pycrypto package further)? 
>
> The easiest solution is of course to simply report this upstream... ;-) 
>
> (MPIR 2.7.0.alpha4 still lacks mpz_powm_sec().) 
>
>
> -leif 
>
> > On Sunday, June 8, 2014 11:21:20 AM UTC+1, Martin Albrecht wrote: 
> > 
> >     On Saturday 07 Jun 2014 13:34:18 Volker Braun wrote: 
> >      > Afaik its only used in the openid module. And exploiting a timing 
> >     attack 
> >      > over network is most likely not possible. 
> > 
> >     they are practical at least over LAN: 
> >     https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf 
> >     <https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf> 
> > 
> >      > On Saturday, June 7, 2014 8:40:54 PM UTC+1, em2slyn wrote: 
> >      > > Hi All: 
> >      > > 
> >      > > I am hosting a Sage server for our department and ever since 
> >     upgrading to 
> >      > > 6.X the following message displays every time Sage is launched. 
> >      > > 
> >      > > Executing twistd  --pidfile="sage_notebook.sagenb/sagenb.pid" 
> -ny 
> >      > > "sage_notebook.sagenb/twistedconf.tac" 
> >      > > 
> >     
> /home/sageserver/sage-6.2/local/lib/python2.7/site-packages/Crypto/Util/nu 
> > 
> >      > > mber.py:57: PowmInsecureWarning: Not using mpz_powm_sec.  You 
> >     should 
> >      > > rebuild using libgmp >= 5 to avoid timing attack vulnerability. 
> >      > > 
> >      > >   _warn("Not using mpz_powm_sec.  You should rebuild using 
> >     libgmp >= 5 to 
> >      > > 
> >      > > avoid timing attack vulnerability.", PowmInsecureWarning) 
> >      > > . 
> >      > > . 
> >      > > . 
> >      > > 
> >      > > I've been tracking this down and noticed there are a number of 
> >     posts on 
> >      > > the web related to this warning although not specifically 
> >     addressing Sage. 
> >      > > Unfortunately, some sites have provided various workarounds but 
> >     I cannot 
> >      > > seem to find a resolution. 
> >      > > 
> >      > > I am currently hosting Sage 6.2 on Ubuntu Server 12.04 and 
> >     tried an 
> >      > > experimental build using Ubuntu 14.04. Initially, I installed 
> >     GMP 6.0.0a 
> >      > > from gmplib.org <http://gmplib.org> and rebuilding Python 
> using 
> >     the command *sage -f python* 
> >      > > along with *SAGE_UPDATING=yes make*. The warning persisted. 
> >     Then I did a 
> >      > > complete build from source adding libgmp-dev to the standard 
> >     pool of 
> >      > > prerequisite packages. Still no luck. 
> >      > > 
> >      > > First of all, is this a problem with Sage or the OS I've 
> >     selected to use? 
> >      > > Is there a package that is missing that should be included in 
> >     the build? 
> >      > > Any input would be welcome. Thank you! 
> >      > > 
> >      > > Have a GREAT DAY!! 
> >      > > 
> >      > > Shaun 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> > Groups "sage-support" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> > an email to [email protected] <javascript:> 
> > <mailto:[email protected] <javascript:>>. 
> > To post to this group, send email to [email protected] 
> <javascript:> 
> > <mailto:[email protected] <javascript:>>. 
> > Visit this group at http://groups.google.com/group/sage-support. 
> > For more options, visit https://groups.google.com/d/optout. 
>
>
> -- 
> () The ASCII Ribbon Campaign 
> /\   Help Cure HTML E-Mail 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-support.
For more options, visit https://groups.google.com/d/optout.

Reply via email to