Backport for deprecated int_from_bytes to int.from_bytes

adds focal debdiff

The attachment "lp2022372-focal-fix-crypto-warning.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hi Heather,

Thanks for the bug report with detailed tracks for releases and debdiff!

Tracks:

I think tracks that don't need the fix should be in 'Invalid' and not
"Won't Fix", since it's not like they had to be fixed but will not.

Impact:

Apparently if your reorder these lines it'd be clearer?

from

1) A method from cryptographic_utils was deprecated and replaced.
2) We are cherry-picking ... to address the unnecessary logging...
3) It also deprecates the usage ...

to

1) A method from cryptographic_utils was deprecated and replaced.
3) It also deprecates the usage ...
2) We are cherry-picking ... to address the unnecessary logging...

since 2 looks like the solution to the problem, and 3 is symptoms.

Also, it is important to highlight the need for the py3-crypto from
cloud archive to reproduce the problem in the Impact session.
(It's currently low profile in the middle of a long sentence in
Test Plan).

Where Problems Could Occur:

I'm not sure I followed why exactly the Build-Depends: are related
since the python code is loaded at runtime (so Depends: are used),
if you could clarify please.

> The impact is low as this fixes a deprecated 3rd party library.

I guess it fixes the _usage_ of a deprecated method from other lib?

It'd be nice if we could confirm that the new code (int.from_bytes)
is not only available in python-cryptography in the ubuntu archive
(old version, not the new version in UCA), but also and does not
have bugs that need additional fixes from py-crypto upstream.

(since we'd be switching implementations, let's make sure the new
implementation is equivalent and/or has all fixes needed).

...

Debdiffs:

- changelog: needs LP: #number, and (nitpicking) further indent '-'
  under '*' is usual (not strictly required)

- dep3:
- Origin: typo in "Origin, upstream: <url>" ("Origin: upstream, <url>")
- Origin: URL is OK, but prefer shorter/commit "https://github.com/mitya57/secretstorage/commit/<id>"
  (we can get to the PR from the commit message or the LP bug number)
- Bug-Ubuntu: URL is OK, but prefer shorter "https://bugs.launchpad.net/bugs/<number>"

Thanks!

I'll ask another sponsor to review the next debdiff due to time off.

> It'd be nice if we could confirm that the new code (int.from_bytes) is not only available in python-cryptography in the ubuntu archive (old version, not the new version in UCA), but also and does not have bugs that need additional fixes from py-crypto upstream.

The new method is part of Python itself, not python-cryptography. It's available since Python 3.2 and I'm not aware of any issues with it:

https://docs.python.org/3/library/stdtypes.html#int.from_bytes

Hi Dmitry, I'll take a look. Thanks Dariusz for picking this up.

updated patch from comments

This bug is filed against Ubuntu focal and an upload is in the focal-proposed queue for python-secretstorage, but it is not clear to me from this bug description how focal is affected.

In a focal environment:

$ sudo apt install python3-secretstorage
[...]
The following NEW packages will be installed:
  dbus libapparmor1 libdbus-1-3 python3-cffi-backend python3-cryptography
  python3-dbus python3-secretstorage
[...]
$ python3
Python 3.8.10 (default, May 26 2023, 14:05:08)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from secretstorage.dhcrypto import Session
>>> session = Session()
>>> exit()
$

No deprecation messages are shown.

Hi Steve,

Thanks for the feedback.

I just clarified in the Impact section that the packages should be from the Ubuntu Cloud Archive, based on the Test Plan section.

cheers,
Mauricio

Can I check I've got this straight?

python3-secretstorage in Focal uses an API call that is not deprecated in the python3-cryptography package shipped in Focal, but *is* deprecated in a future version of python3-cryptography shipped in the cloud archive?

That doesn't sound like it would qualify for an SRU in Focal to me, since it isn't a problem in Focal. The cloud archive is an overlay, and is expected to deal with the consequences of bumping versions of packages inside itself. The point of the cloud archive is that it does not alter the base Ubuntu archive for the purposes of enabling versions newer than what shipped in Ubuntu.

Can you fix the problem by either "undeprecating" those API calls in python3-cryptography in a patch in the cloud archive, or alternatively by shipping a patched or newer version of python-secretstorage in the cloud archive itself?

If I've not understood the situation correctly, please do correct me!

Hi Robie,

Thanks for detailing the rationale.

You are right; I was wrong in the interpretation of responsibility for backward/forward compatibility between UA and UCA in this case.

This indeed should be fixed via UCA since it introduces the issue.

Hi Robie/Maurico,

I do not see a UCA version of python-secretstorage package. If I mistyped please let me know.

I thought the warnings only occur with python-secretstorage (debian/focal) + python3-cryptography (any version above 3.4+) but I can double check.

root@focalsstest2:~/pythonss/python3-secretstorage# cmadison python-secretstorage

root@focalsstest2:~/pythonss/python3-secretstorage# cmadison python3-cryptography
 python3-cryptography | 1.2.3-1ubuntu0.3~cloud0 | mitaka | trusty-updates | any all
 python3-cryptography | 1.2.3-1ubuntu0.3~cloud0 | mitaka-proposed | trusty-proposed | any all
 python3-cryptography | 2.1.4-1ubuntu1.4~cloud0 | queens | xenial-updates | any all
 python3-cryptography | 2.1.4-1ubuntu1.4~cloud0 | queens-proposed | xenial-proposed | any all
 python3-cryptography | 2.6.1-3.1~cloud0 | train | bionic-updates | any all
 python3-cryptography | 2.6.1-3.1~cloud0 | train-proposed | bionic-proposed | any all
 python3-cryptography | 2.8-3ubuntu0.1~cloud0 | ussuri | bionic-updates | any all
 python3-cryptography | 2.8-3ubuntu0.1~cloud0 | ussuri-proposed | bionic-proposed | any all
 python3-cryptography | 3.0-1ubuntu0.1~cloud0 | victoria | focal-updates | any all
 python3-cryptography | 3.0-1ubuntu0.1~cloud0 | victoria-proposed | focal-proposed | any all
 python3-cryptography | 3.3.2-1~cloud0 | wallaby | focal-updates | any all
 python3-cryptography | 3.3.2-1~cloud0 | wallaby-proposed | focal-proposed | any all
 python3-cryptography | 3.3.2-1build1~cloud0 | xena | focal-updates | any all
 python3-cryptography | 3.3.2-1build1~cloud0 | xena-proposed | focal-proposed | any all
 python3-cryptography | 3.4.8-1ubuntu2~cloud0 | yoga | focal-updates | any all
 python3-cryptography | 3.4.8-1ubuntu2~cloud0 | yoga-proposed | focal-proposed | any all

Hey Heather,

Thanks for checking!

That is correct; the uca:yoga ships the newer version of python3-cryptography, which introduces the deprecations, and causes the issue when consumed by python3-secretstorage in focal (but could also happen w/ any other consumer, as our test-case demonstrates).

Thus Robie's suggestions were to patch UCA (which introduces the issue on / is thus responsible for affecting focal) to either
- add a patch in uca:yoga only (but not in its base/origin, jammy) to undeprecate the deprecations (since we know there are consumers of such calls in focal, which is the target for uca:yoga), or
- add a new package in uca:yoga, to replace/update the consumer/python-secretstorage package in focal, so not to use the deprecated calls.

IMHO the former is a much simpler and less expensive option, and should not be an issue, since we know the target of uca:yoga is focal, and know it has consumer packages of the deprecated calls. Since the deprecated calls still work, it wouldn't seem to be an issue, AFAICT.

Thanks!

from my ppa https://launchpad.net/~hypothetical-lemon/+archive/ubuntu/python-cryptography-lp2022372/+packages
I was able to build and test the changes needed for the warnings to be removed
the python-cryptography package removes the deprecated function int_from_bytes
the python-secretstorage package has the two backported issues that replaces the call from int_from_bytes() to int.from_bytes()

python-cryptography - 3.4.8-1ubuntu2~cloud3testpkg015
python-secretstorage - 2.3.1-2ubuntu2testpkg2

Thanks!

Heather,

That's good news. Please let us know when the debdiffs are ready for review/sponsoring!

Thanks,
Mauricio

python3-cryptography focal-yoga debdiff

I did some extra testing around focal-yoga Openstack instance. I didn't observe any warnings thrown in the logs like was mentioned earlier, but I did see them when trying to execute a command from python-secretstorage where the problem is.

# create openstack focal-yoga deployment, by default python3-cryptography and python3-secretstorage
have the correct installed packages. The warnings happen when we use the focal deb version of python3-secretstorage and the UCA cloud version of python3-cryptography.

sudo apt-cache policy python3-cryptography
python3-cryptography:
  Installed: 2.8-3ubuntu0.1
  Candidate: 3.4.8-1ubuntu2~cloud0
  Version table:
     3.4.8-1ubuntu2~cloud0 500
        500 http://ubuntu-cloud.archive.canonical.com/ubuntu focal-updates/yoga/main amd64 Packages
 *** 2.8-3ubuntu0.1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.8-3 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages

sudo apt-cache policy python3-secretstorage
python3-secretstorage:
  Installed: 2.3.1-2ubuntu1
  Candidate: 2.3.1-2ubuntu1
  Version table:
 *** 2.3.1-2ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status

# check syslog for any errors before proceeding

# Either from the host or inside a juju-vm

python3
from secretstorage.dhcrypto import Session

# upgrade to cloud version of python3-cryptography
sudo apt install -y python3-cryptography

sudo apt-cache policy python3-cryptography

# shows the cloud version
python3-cryptography:
  Installed: 3.4.8-1ubuntu2~cloud0
  Candidate: 3.4.8-1ubuntu2~cloud0

python3
Python 3.8.10 (default, May 26 2023, 14:05:08)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from secretstorage.dhcrypto import Session
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
>>>
Ctrl+D

# upgrade to test ppa version

sudo add-apt-repository ppa:hypothetical-lemon/python-cryptography-lp2022372
sudo apt-get update
sudo apt-get install python3-cryptography

sudo apt-cache policy python3-cryptography
"" "" python3-secretstorage

# shows test package version installed

python3
from secretstorage.dhcrypto import Session

- observe no warning messages present.

Thanks,
Heather L.

Hi Heather,

First, sorry, I had missed the previous 2 comments.

So, it looks like the debdiff removes int_from_bytes altogether (including the deprecation message), thus the reproducer hits an ImportError.

  $ python3 -c 'from secretstorage.dhcrypto import Session'
  ...
  ImportError: cannot import name 'int_from_bytes' from 'cryptography.utils' (/usr/lib/python3/dist-packages/cryptography/utils.py)

I see a previous comment/attempt that includes a change to python3-secretstorage too, to actually port it to use int.from_bytes instead of int_from_bytes (deprecated), which is not attached, but the approach decided was to patch only the UCA, as it's the source introducing issues to the UA. (py3-ss from UA works fine with py3-cryptography from UA.)

Looking at the gitlog for the file, it looks like the change to be backport-reverted in python3-cryptography in UCA is the commit with specific hunk [1] (it deprecated int_from_bytes), if I understand it correctly?

Thanks!
Mauricio

[1] https://github.com/pyca/cryptography/commit/5528a3182fdd6ed1c44c126d451a87bcf39e79de#diff-c9ed41cf466f7643671839013ae11d8315b34fcacde992483edca84d6b2dfe04

Hi Mauricio,

> So, it looks like the debdiff removes int_from_bytes altogether (including the deprecation message), thus the reproducer hits an ImportError.

That is why we need to change both packages, python3-secretstorage and python3-cryptography and that's what I tested with changes to both packages with no problems, See comment #14.

The patch that I uploaded came from this commit [0].

So to re-cap, The suggestion to only make a change to UCA python3-cryptography won't work due to the fact that python3-secretstorage still calls out to the deprecated function.

I have not considering adding a new package in uca:yoga for python3-secretstorage but that is still an option, currently that package does not exist in UCA. [1]

[0] https://github.com/pyca/cryptography/commit/c8dc74c5ebb37e82fe381a9d248379c32a049072
[1] https://openstack-ci-reports.ubuntu.com/reports/cloud-archive/yoga_versions.html

Thank You,
Heather L.

Hi Heather,

> That is why we need to change both packages, python3-secretstorage and python3-cryptography
> and that's what I tested with changes to both packages with no problems, See comment #14.

Thanks for clarifying. Yes, I had read #14, but src:python-secretstorage should not change,
only src:python-cryptography (comment #10 from Robie / SRU team, as the issue comes in UCA).

> So to re-cap, The suggestion to only make a change to UCA python3-cryptography won't work
> due to the fact that python3-secretstorage still calls out to the deprecated function.

It should work if we just un-deprecate `int_from_bytes` (instead of removing it),
so the calls to that function do not throw deprecation warnings, apparently?

I mean, the mentioned commit [0] does remove the definition of `int_from_bytes`,
so it's no longer available (to src:python-secretstorage and all other rev deps).

On the other hand, this hunk in commit [1] introduced the change on `int_from_bytes`
(from an alias to `int.from_bytes` to a `deprecated(int.from_bytes)` wrapper/warning).

So, a partial revert of that hunk (and possibly the associated `tests/` hunks)
should clear the `deprecated()` warning message, if I understand it correctly?

Thanks again!
Mauricio

[0] https://github.com/pyca/cryptography/commit/c8dc74c5ebb37e82fe381a9d248379c32a049072
[1] https://github.com/pyca/cryptography/commit/5528a3182fdd6ed1c44c126d451a87bcf39e79de#diff-c9ed41cf466f7643671839013ae11d8315b34fcacde992483edca84d6b2dfe04

Let me know if this patch looks okay.

Hi Heather,

Thanks for the updated debdiff!

1) The SRU template needs updates in all sections, apparently, considering the course changes since the first approach, to what the fix approah is now.

2) The DEP-3 headers need changes:

- Subject: while not a requirement, it'd be nice (as git does) to keep the original (reverted) commit subject within q quotes; e.g.: 'Subject: Partially Revert "Remove utils.int_from_bytes (#5609)"'

- Description:
  This is not needed if Subject is present [DEP-3: "Description or Subject (required)"],
  although it's understandable the goal is to clarify why this is being done.

  Since you already have Subject, just use the long description outside of the headers:

  [DEP-3: "This obligatory field contains at least a short description on the first line.

   When Subject is used, it is expected that the long description is outside of the structured fields.
   With Description it is possible to embed them in the field using continuation lines.

   In both cases, the long description allows for a more verbose explanation of the patch and its history."]

   ...
   And the 'revert of removing deprecated' part is written the other way around, right?
   (the revert is reverting _adding_ deprecated msgs, ie, effectively removing them)

- Origin:

  For the link, please always link to the commit in the git repo, not to the commit in the PR
  (e.g., link '[0]' in comment #20; notice the commit ID is different, the one applied is official).

  For the optional keyword to categorize, this cannot be 'upstream' (as it had changes; not a cherry-pick),
  and cannot be 'backport' (which indicates changes to _apply_, but _reverting_ it is very different),
  so we probably should go with 'vendor':

  [DEP-3: "The allowed keywords are
   "upstream" (in the case of a patch cherry-picked from the upstream VCS),
   "backport" (in the case of an upstream patch that had to be modified to apply on the current version),
   "vendor" for a patch created by Debian or another distribution vendor, or
   "other" for all other kind of patches.]

Thanks again!
Mauricio

updated patch with feedback

Thanks, Heather!

That looks good; I made some adjustments to changelog/dep3
(mainly to reflect you're the Author:, as this patch isn't
the upstream commit; and some terminology as debian/ubuntu/
3rd party, and shorter commit hashses in the description).

I've successfully built and tested it, and checked that the
number of passed/skipped tests match the original version's
build log in UCA.

I'll check w/ Corey what is the recommended approach/steps
to get this into the cloud archive, as python-cryptography
doesn't have a git repo (for opening MRs on) [1].

[1] https://code.launchpad.net/~ubuntu-openstack-dev/+git

cheers,
Mauricio

Tests:
--

Before:

$ sudo add-apt-repository -y cloud-archive:yoga

$ sudo apt install python3-secretstorage python3-cryptography

$ dpkg -s python3-secretstorage python3-cryptography | grep ^Version:
Version: 2.3.1-2ubuntu1
Version: 3.4.8-1ubuntu2~cloud0

$ python3 -c 'from secretstorage.dhcrypto import Session'
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes

After:

$ dpkg -s python3-secretstorage python3-cryptography | grep ^Version:
Version: 2.3.1-2ubuntu1
Version: 3.4.8-1ubuntu2~cloud1

$ python3 -c 'from secretstorage.dhcrypto import Session'
$

...

Test suite in the test package's build log is the same as in ~cloud0 in UCA [2]
"... 2743 passed, 3261 skipped in 154.23s (0:02:34) ..."

[2] https://launchpadlibrarian.net/594295493/buildlog_ubuntu-focal-amd64.python-cryptography_3.4.8-1ubuntu2~cloud0_BUILDING.txt.gz

> I'll check w/ Corey what is the recommended approach/steps
> to get this into the cloud archive, as python-cryptography
> doesn't have a git repo (for opening MRs on) [1].

Corey clarified that, in this case, the debdiff is sufficient.
Waiting on review/sponsorship for the cloud archive. Thanks!

Hi Mauricio and Heather. Thanks for the patch. This is an interesting one because we backport python-cryptography from jammy to the yoga cloud archive. As the fix isn't needed on jammy, and because jammy is not EOL, we'll patch python-cryptoraphy whenever it backports via [1]. There's no d/changelog update in this case, and this allows us to continue automatic backports as we move forward. I wanted to explain this in case you pull-uca-source the package and don't see your d/changelog update.

[1] https://git.launchpad.net/~ubuntu-cloud-archive/+git/ca-patches/commit/?id=ce5287c96ce38b5fd2b742508f03810b2e36699a

Hey Corey,

Thanks for applying the patch and explaining the automatic backport process in this case! (I'll bookmark that git repo.)

So, in order to get the fix released to the yoga cloud archive, should we upload a No-Change Rebuild to Jammy, and the automatic backport will pick it up?

I can prepare and upload the NCR, if that's the correct option.

Thanks,
Mauricio

Hello Heather, or anyone else affected,

Accepted python-cryptography into yoga-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:yoga-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-yoga-needed to verification-yoga-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-yoga-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

On Wed, Sep 13, 2023 at 5:51 PM Mauricio Faria de Oliveira <
<email address hidden>> wrote:

> Hey Corey,
>
> Thanks for applying the patch and explaining the automatic backport
> process in this case! (I'll bookmark that git repo.)
>
> So, in order to get the fix released to the yoga cloud archive, should
> we upload a No-Change Rebuild to Jammy, and the automatic backport will
> pick it up?
>
> I can prepare and upload the NCR, if that's the correct option.
>
> Thanks,
> Mauricio
>

It's all set and building in yoga-proposed. But yes it is essentially a
no-change rebuild in this case.

Thanks again.
Corey

Thanks for the prompt upload for this, Corey!

It's nice we didn't need to change the ubuntu archive, just the cloud archive.

### VERIFICATION DONE FOCAL YOGA ###

Deploy an openstack focal-yoga instance

juju ssh nova-compute/0 bash

# python3-secretstorage version
python3-secretstorage: 2.3.1-2ubuntu1

sudo apt-get install python3-cryptography

# previous version tested
python3-cryptography: 3.4.8-1ubuntu2~cloud0

reproduced issue:
ubuntu@juju-e20dcf-lp2022372-focal-yoga-9:~$ python3
Python 3.8.10 (default, May 26 2023, 14:05:08)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from secretstorage.dhcrypto import Session
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes

# enabled proposed
sudo add-apt-repository cloud-archive:yoga-proposed

# install proposed version
sudo apt-get install python3-cryptography

python3-cryptography: 3.4.8-1ubuntu2~cloud1

ubuntu@juju-e20dcf-lp2022372-focal-yoga-9:~$ python3
Python 3.8.10 (default, May 26 2023, 14:05:08)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from secretstorage.dhcrypto import Session
>>>

No error messages were seen in the console.

Hi Mauricio,

I didn't want you to think I forgot changing the tag. I was busy testing edge cases with the python-secretstorage function calls [0] while also reading up on dbus [1]. What I posted above was the base case and wanted to get that done so I didn't forget anything. I also didn't find any regressions in my edge case tests.

[0] https://github.com/mitya57/secretstorage/blob/secretstorage-2.3/docs/index.rst
[1] https://www.freedesktop.org/wiki/IntroductionToDBus/

Thanks,
Heather L.

Thanks for clarifying, Heather.

Sorry, I took that from the header line, and didn't see a different indication in the comment, but I should have checked with you internally before changing it (trying to be helpful sometimes is not, I guess :)

Reverting it now!

> I was busy testing edge cases ... I also didn't find any regressions in my edge case tests.

Oops, apparently that means the tags should remain set, if I understand it correctly; but I'll leave it up to you so not to maximize confusion :)

No worries! Thank you

python-cryptography 3.4.8-1ubuntu2~cloud1 has been released to yoga-updates. Thanks!