Re: Dependency on python-oauth2
On 10/02/14 05:57, Thomas Goirand wrote: On 02/10/2014 02:41 AM, Iain R. Learmonth wrote: [...] python-oauth2 is indeed not maintained anymore upstream, and has security problems. As a consequence, I worked out a patch for keystone so that it uses oauthlib instead. I would recommend that you do the same, and that you do not rely on oauth2. Note that the API of oauthlib is different from oauth2, even though they are supposed to do the same kind of thing. Cool. Thanks everyone for your help. I'm going to ask upstream if they'll consider moving to oauthlib then instead of python-oauth2. Iain. -- urn:x-human:Iain R. Learmonth http://iain.learmonth.me/ mailto:i...@fsfe.org xmpp:i...@jabber.fsfe.org tel:+447875886930 GPG Fingerprint: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 Please verify out-of-band before trusting with sensitive information. [[[ To any GCHQ or other security service agents reading my email: ]]] [[[ Please consider if any professional body code of conduct to]]] [[[ which you subscribe requires you to follow Snowden's example. ]]] [[[ Your professional membership, chartered or incorporated status ]]] [[[ may be at risk.]]] signature.asc Description: OpenPGP digital signature
Re: Dependency on python-oauth2
On Feb 10, 2014, at 10:33 AM, Iain R. Learmonth wrote: Cool. Thanks everyone for your help. I'm going to ask upstream if they'll consider moving to oauthlib then instead of python-oauth2. Thanks for that. I've ported a number of libraries and apps to oauthlib, and had a chance to speak with the author at a previous conference. Despite the fact that the API is different enough from the ancient (and unmaintained) oauth/oauth2 libraries, oauthlib is really quite good for client-side uses, and usually isn't *too* difficult to port to. Cheers, -Barry signature.asc Description: PGP signature
Dependency on python-oauth2
Hi, I am attempting to get a package into Debian. I have it packaged and accepted into unstable but due to a dependency on python-oauth2 it has been held back from entering testing. https://security-tracker.debian.org/tracker/source-package/python-oauth2 There are two open security problems with python-oauth2. It has been removed from testing also and will not be in the next stable release of Debian unless these bugs are fixed. irl@orbiter:~$ apt-cache rdepends python-oauth2 python-oauth2 Reverse Depends: turses python-django-social-auth python-keystone python-django-oauth-plus python-djangorestframework python-django-social-auth There are also a number of packages that depend on python-oauth2 that will disappear on the next stable release. Is there currently any effort to patch these problems in python-oauth2? I notice these bugs were filed on the 13th Sep 2013. There has been no activity in the python-oauth2 on GitHub in over 2 years as far as I can see. If there is no effort to fix these bugs, could someone recommend an alternative package to depend on to provide OAuth2 client functionality for a Python module? I think upstream would likely be willing to refactor for the new library. Thanks, Iain. -- urn:x-human:Iain R. Learmonth http://iain.learmonth.me/ mailto:i...@fsfe.org xmpp:i...@jabber.fsfe.org tel:+447875886930 GPG Fingerprint: 1F72 607C 5FF2 CCD5 3F01 600D 56FF 9EA4 E984 6C49 Please verify out-of-band before trusting with sensitive information. [[[ To any GCHQ or other security service agents reading my email: ]]] [[[ Please consider if any professional body code of conduct to]]] [[[ which you subscribe requires you to follow Snowden's example. ]]] [[[ Your professional membership, chartered or incorporated status ]]] [[[ may be at risk.]]] signature.asc Description: OpenPGP digital signature
Re: Dependency on python-oauth2
Hello Iain, On Sunday 09 February 2014 18:41:10 Iain R. Learmonth wrote: If there is no effort to fix these bugs, could someone recommend an alternative package to depend on to provide OAuth2 client functionality for a Python module? You could try python-oauthlib. Upstream is very active and AFAIK python-djangorestframework can use oauthlib thanks to django-oauth-toolkit and python-social-auth (which supersede python-django-social-auth) is already using oauthlib. I also checked, right know, python-keystone and in its requirements.txt there is oauthlib: https://github.com/openstack/keystone/blob/master/requirements.txt#L20 HTH, -- Daniele Tricoli 'Eriol' http://mornie.org signature.asc Description: This is a digitally signed message part.
Re: Dependency on python-oauth2
On 02/10/2014 02:41 AM, Iain R. Learmonth wrote: Hi, I am attempting to get a package into Debian. I have it packaged and accepted into unstable but due to a dependency on python-oauth2 it has been held back from entering testing. https://security-tracker.debian.org/tracker/source-package/python-oauth2 There are two open security problems with python-oauth2. It has been removed from testing also and will not be in the next stable release of Debian unless these bugs are fixed. irl@orbiter:~$ apt-cache rdepends python-oauth2 python-oauth2 Reverse Depends: turses python-django-social-auth python-keystone python-django-oauth-plus python-djangorestframework python-django-social-auth There are also a number of packages that depend on python-oauth2 that will disappear on the next stable release. Is there currently any effort to patch these problems in python-oauth2? I notice these bugs were filed on the 13th Sep 2013. There has been no activity in the python-oauth2 on GitHub in over 2 years as far as I can see. If there is no effort to fix these bugs, could someone recommend an alternative package to depend on to provide OAuth2 client functionality for a Python module? I think upstream would likely be willing to refactor for the new library. Thanks, Iain. Hi, python-oauth2 is indeed not maintained anymore upstream, and has security problems. As a consequence, I worked out a patch for keystone so that it uses oauthlib instead. I would recommend that you do the same, and that you do not rely on oauth2. Note that the API of oauthlib is different from oauth2, even though they are supposed to do the same kind of thing. I hope this helps, Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52f86a59.9000...@debian.org
