IMHO we should just change flask-openid to not import these utility functions from pycrypto. I would have patched it myself if there were an easy way, but its a tarball inside the sagenb tarball...
On Sunday, June 8, 2014 5:16:47 PM UTC+1, leif wrote: > > Volker Braun wrote: > > Neat, but the flask openid shouldn't and doesn't implement SSL using > > pycrytpo. Looking at the source, what triggers the warning is > > > > from Crypto.Util.number import long_to_bytes, bytes_to_long > > > > which is used by flask-openid to serialize data to disk. > > Still, should we somehow silence the warning (probably by patching our > pycrypto package further)? > > The easiest solution is of course to simply report this upstream... ;-) > > (MPIR 2.7.0.alpha4 still lacks mpz_powm_sec().) > > > -leif > > > On Sunday, June 8, 2014 11:21:20 AM UTC+1, Martin Albrecht wrote: > > > > On Saturday 07 Jun 2014 13:34:18 Volker Braun wrote: > > > Afaik its only used in the openid module. And exploiting a timing > > attack > > > over network is most likely not possible. > > > > they are practical at least over LAN: > > https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf > > <https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf> > > > > > On Saturday, June 7, 2014 8:40:54 PM UTC+1, em2slyn wrote: > > > > Hi All: > > > > > > > > I am hosting a Sage server for our department and ever since > > upgrading to > > > > 6.X the following message displays every time Sage is launched. > > > > > > > > Executing twistd --pidfile="sage_notebook.sagenb/sagenb.pid" > -ny > > > > "sage_notebook.sagenb/twistedconf.tac" > > > > > > > /home/sageserver/sage-6.2/local/lib/python2.7/site-packages/Crypto/Util/nu > > > > > > mber.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You > > should > > > > rebuild using libgmp >= 5 to avoid timing attack vulnerability. > > > > > > > > _warn("Not using mpz_powm_sec. You should rebuild using > > libgmp >= 5 to > > > > > > > > avoid timing attack vulnerability.", PowmInsecureWarning) > > > > . > > > > . > > > > . > > > > > > > > I've been tracking this down and noticed there are a number of > > posts on > > > > the web related to this warning although not specifically > > addressing Sage. > > > > Unfortunately, some sites have provided various workarounds but > > I cannot > > > > seem to find a resolution. > > > > > > > > I am currently hosting Sage 6.2 on Ubuntu Server 12.04 and > > tried an > > > > experimental build using Ubuntu 14.04. Initially, I installed > > GMP 6.0.0a > > > > from gmplib.org <http://gmplib.org> and rebuilding Python > using > > the command *sage -f python* > > > > along with *SAGE_UPDATING=yes make*. The warning persisted. > > Then I did a > > > > complete build from source adding libgmp-dev to the standard > > pool of > > > > prerequisite packages. Still no luck. > > > > > > > > First of all, is this a problem with Sage or the OS I've > > selected to use? > > > > Is there a package that is missing that should be included in > > the build? > > > > Any input would be welcome. Thank you! > > > > > > > > Have a GREAT DAY!! > > > > > > > > Shaun > > > > -- > > You received this message because you are subscribed to the Google > > Groups "sage-support" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected] <javascript:> > > <mailto:[email protected] <javascript:>>. > > To post to this group, send email to [email protected] > <javascript:> > > <mailto:[email protected] <javascript:>>. > > Visit this group at http://groups.google.com/group/sage-support. > > For more options, visit https://groups.google.com/d/optout. > > > -- > () The ASCII Ribbon Campaign > /\ Help Cure HTML E-Mail > > -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/d/optout.
