pycrypto-2.0.1 uses md5 & sha1 modules which will be deprecated in 2.6/3.0

Bug #269429 reported by Mike Auty on 2008-09-12
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Bazaar
Undecided
Bob Tanner
Python-Crypto
Undecided
Dwayne Litzenberger
python-crypto (Fedora)
Fix Released
Low
python-crypto (Ubuntu)
Medium
James Westby

Bug Description

This is only a very minor bug (and 2.6 hasn't even been released yet), but since the deprecations show up for every package that uses them, it was quite noticeable when testing out the new versions in preparation.

Unfortunately the hashlib module isn't PEP 247 compliant, so there will be a bit work to maintain the current interface. It might be worth filing a bug at python.org suggesting that deprecating module compliant to a PEP for one that isn't should be fixed (preferably by providing a compliant interface).

Dwayne Litzenberger (dlitz) wrote :

Fixed in commit-id d2311689910240e425741a546576129f4c9735e2 in the git repository.

http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.0.x.git;a=commitdiff;h=d2311689910240e425741a546576129f4c9735e2

Changed in pycrypto:
assignee: nobody → dlitz
status: New → Fix Committed
Mike Auty (mike-auty) wrote :

Wow, thanks for the incredibly quick fix!

I was just wondering about the Hmac module, since that seems to import the md5 module, but it's not clear if it imports the python one, or the Crypto.Hash.md5 module? Are module imports relative or absolute? If they're relative, then do please ignore me...

Dwayne Litzenberger (dlitz) wrote :

Imports are relative in Python 2, but also case-sensitive. Here's the next fix:

http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.0.x.git;a=commitdiff;h=84b793416b52311643bfd456a4544444afbfb5da

Let me know if that works (I haven't tested on Win32 yet).

Mike Auty (mike-auty) wrote :

Sorry for the long delay, all seems to work fine on my linux box (don't have a win32 box to test on I'm afraid). Again, thanks for the fix! 5:)

Description of problem:

Applications using python-crypto may get the following warning:

/usr/lib64/python2.6/site-packages/Crypto/Hash/SHA.py:6: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
  from sha import *
/usr/lib64/python2.6/site-packages/Crypto/Hash/MD5.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  from md5 import *

Version-Release number of selected component (if applicable):

python-crypto-2.0.1-14.1.x86_64
python-2.6-4.fc11.x86_64

How reproducible:

Always

Steps to Reproduce:
1.
2.
3.

Actual results:

/usr/lib64/python2.6/site-packages/Crypto/Hash/SHA.py:6: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
  from sha import *
/usr/lib64/python2.6/site-packages/Crypto/Hash/MD5.py:6: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  from md5 import *

Expected results:

No warnings about deprecated functions.

Additional info:

From a quick grep it also applies to Crypto/Hash/HMAC.py

It seems the fix is simply changing as follows

From:
 from md5 import *
 import mf5
To:
 from hashlib import md5

and similar for SHA.

Can you confirm this is fixed in 2.0.1-15? I haven't setup my rawhide VM to test yet...

http://koji.fedoraproject.org/koji/taskinfo?taskID=1111208

Same problem in 2.0.1-15.

The patch in CVS looks about right, but is not added to the spec file so not part of the build..

Needs to be both a Patch0: source line, and a %patch0 statement in %prep

Sorry about that, fixed now. Rebuilding now: http://koji.fedoraproject.org/koji/taskinfo?taskID=1111411

I've also changed the patch a bit, as to remain compatible with PEP 247 we can't simply replace the md5/sha modules with their hashlib equivalents - hashlib provides a function and not a module with the digest_size and blocksize properties. The SHA and MD5 functions will now contain the correct values for digest_size and blocksize (the same values as the objects from hashlib have) as before there were hardcoded from the Python sha and md5 modules.

Changed in python-crypto:
status: Unknown → Confirmed

Stewart, upstream has a report reg. this as well:

     https://bugs.launchpad.net/pycrypto/+bug/269429

There are also fixes in git:

     http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d2311689910240e425741a546576129f4c9735e2
     http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=84b793416b52311643bfd456a4544444afbfb5da

Should we use those just to be on the safe side?

BTW: Steward, would you be interested to take over python-crypto? I don#t need it anymore

Changed in python-crypto:
status: Confirmed → Fix Released
Bob Tanner (tanner) wrote :

Think you could push a 2.0.2 release?

With just the above patches if a full build/release is too much work?

I will volunteer to push a release if you give me your blessing :-)

Bob Tanner (tanner) on 2009-03-16
Changed in bzr:
assignee: nobody → tanner
milestone: none → 1.14rc1
status: New → Fix Committed
Bob Tanner (tanner) wrote :

Please see https://bugs.launchpad.net/bzr/+bug/342170 there's a bzr branch with the above upstream patches applied that should work for Ubuntu people. Please let me know what else I can do to help.

Bob Tanner (tanner) on 2009-03-16
Changed in python-crypto:
assignee: nobody → ubuntu-core-dev
Scott Kitterman (kitterman) wrote :

Please don't assign ubuntu-core-dev to bugs. That causes everyone to get mailed and is not the appropriate process.

Changed in python-crypto:
assignee: ubuntu-core-dev → nobody
Colin Watson (cjwatson) on 2009-03-16
Changed in python-crypto (Ubuntu):
assignee: nobody → doko
Kees Cook (kees) wrote :

This bug was fixed in the package python-crypto - 2.0.1+dfsg1-2.3ubuntu4

---------------
python-crypto (2.0.1+dfsg1-2.3ubuntu4) jaunty; urgency=low

  [ Martin Pool ]
  * Take patch from upstream to avoid deprecation warnings under python 2.6.
    (LP: #337073)

 -- James Westby <email address hidden> Tue, 10 Mar 2009 16:12:48 +1000

Changed in python-crypto (Ubuntu):
assignee: doko → james-w
importance: Undecided → Medium
milestone: none → ubuntu-9.04-beta
status: New → Fix Released
Vincent Ladeuil (vila) on 2009-04-29
Changed in bzr:
status: Fix Committed → Fix Released
ssteinerX (ssteinerx) wrote :

I apologize in advance, I'm just a user of this project. I'm getting the deprecation warnings on 2.0.1, under 2.6.2 about the md5 module and, by policy, have to use a release version at work. Can a 2.0.2 be pushed out to resolve this? Thanks, S.

Dwayne Litzenberger (dlitz) wrote :

We believe this bug has been fixed in PyCrypto v2.1.0, which can be obtained from http://www.pycrypto.org/

Changed in pycrypto:
status: Fix Committed → Fix Released
Changed in pycrypto:
milestone: none → 2.1.0
Changed in python-crypto (Fedora):
importance: Unknown → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.