This mostly looks good and I'm happy to sponsor the plucky upload. For SRU, there's a couple of minor notes regarding the SRU template that should be addressed:
1. Could the impact section list what the user impact is? Currently it's describing what's *caused* the bug (and the remedy), but not the actual impact to the user experience. My guess is this would include something like "certmonger crashes preventing completion of certificate enrolment"? 2. Could the test plan be made a little more specific? The ideal would be to have a test plan that absolutely anyone could follow without necessarily knowing anything about the package, but I realize that's probably impossible in this case given the requirement of having an AD. Still, the current instructions could specify *where* in the linked procedure the test is expected to fail (the instructions already list the expected failure message, which is good). That covers the requirement to reproduce the bug. Then... 3. The next half of the test plan should be "upgrade to the proposed version and re-test". Thankfully on noble and oracular that's pretty trivial and just involves "sudo apt install -t $series-proposed python3-cepces" (where $series is the affected series). Ideally, the test plan should also include a demonstration that normal operation (however basic) still works. I realize the above sounds a bit nit-picky, but they're things the SRU team is likely to highlight when checking the bug. Finally, I've adjusted the "where problems could occur" section a bit just to make it clear that, at the time of writing, there is no possibility of regression with regard to old versions of cryptography (because none of the affected). Once the test plan is updated, I would recommend adding the following to the "where problems could occur" section: "The test plan ensures that the bug is reproducible, and that the proposed patch fixes the issue. It also checks that normal operation is unaffected." ** Description changed: [ Impact ] * python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed. * Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method. * The new API to use is _RSAPublicKey.verify, which takes one extra parameter. * Versions prior to Noble still have cryptography with the .verifier method. [ Test Plan ] I was looking for a shorter way, but apparently cepces test suite does not cover this case and testing requires a AD controler. The issue happens occurs when following [1]. When a configured system tries to automatically enroll certificates it fails with the following messages: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' [1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates- autoenrolment/ [ Where problems could occur ] - * There is a very unlikely possibility that this fix will make cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, as this is where the "verify" method has been introduced. I don't think this is a concern, because probably there would be much more incompatibilities with a version over 8 years old. - * Due to the fact that "verifier" has been deprecated for quite some time, I believe requiring version at least 37 with this patch (containing only "verify") would make sense in this case. + The fix is minimal, sourced from upstream, and has been uploaded to the + devel release (plucky). + + The patch makes cepces incompatible with "ancient" (pre-1.4) versions of + python-cryptography, but this version is not present in any of the + affected series, and thus should present no danger of incompatibility. [ Other Info ] Original bug description: This bug is opened to include the upstream patch by falencastro into the Ubuntu release of python3-cepces Upstream Bug report: https://github.com/openSUSE/cepces/issues/41 python-cryptography version 37.0.0 dropped the `signer` and `verifier` methods, replacing them with `sign` and `verify` (https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700--- 2022-04-26) From upstream report: 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu 2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center OS: Ubuntu 24.04.1 LTS Python: 3.12.3 python3-cepces: 0.3.7-0ubuntu1 python3-cryptography: 41.0.7-4ubuntu0.1 3) What you expected to happen: AD enrolled systems can auto-fetch certificates from the server 4) What happened instead: Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier( Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^ Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier' PR with fix: https://github.com/openSUSE/cepces/pull/42 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2081751 Title: python3-cepces calling deprecated method from cryptography To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
