jenkins-bot merged this change.
Remove cryptography<2.3 from python<=2.7.6 requirements
It's better to let users deal with the error rather than to have an
insecure dependency in requirements.
- Remove cryptography>=1.3.4,<2.3 from requirements
- Use requests[security] instead of individually installing them.
The change will cause test failures on Travis-CI's
Python 2.7_with_system_site_packages job. Reconfigure that job to use a
Xenial dist instead of Trusty which has a more up-to-date ssl module.
Note that although Toolforge currently has an old Python version (2.7.6),
but the ssl module is recent enough to not have this issue. So, this change
will not affect Toolforge users.
Bug: T203435
Change-Id: Ia7a1672cadf45a15a12969598f95f5cc5384995d
---
M .travis.yml
M requests-requirements.txt
M requirements.txt
M setup.py
4 files changed, 5 insertions(+), 16 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 479b58b..30e5218 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -131,7 +131,7 @@
include:
- python: '2.7_with_system_site_packages'
env: LANGUAGE=nb FAMILY=wikipedia DIST=trusty PYSETUP_TEST_EXTRAS=1 PYWIKIBOT_TEST_NO_RC=1
- dist: trusty
+ dist: xenial
sudo: required
addons:
apt:
diff --git a/requests-requirements.txt b/requests-requirements.txt
index 98c4f2c..1e18a8d 100644
--- a/requests-requirements.txt
+++ b/requests-requirements.txt
@@ -3,10 +3,4 @@
requests>=2.9,!=2.18.2
# requests security extra
-# Bug T105767 on Python 2.7 release 9+
-cryptography>=1.3.4 ; python_full_version == '2.7.7' or python_full_version == '2.7.8'
-cryptography>=1.3.4,<2.3 ; python_full_version <= '2.7.6'
-pyOpenSSL>=0.14,!=17.2.0 ; python_full_version < '2.7.9'
-idna>=2.0.0 ; python_full_version < '2.7.9'
-# https://github.com/eliben/pycparser/issues/147
-pycparser != 2.14
+requests[security] ; python_full_version > '2.7.6' and python_full_version < '2.7.9'
diff --git a/requirements.txt b/requirements.txt
index 18c5c52..66019c6 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -22,13 +22,7 @@
requests>=2.9,!=2.18.2
# requests security extra
-cryptography>=1.3.4 ; python_full_version == '2.7.7' or python_full_version == '2.7.8'
-cryptography>=1.3.4,<2.3 ; python_full_version <= '2.7.6'
-pyOpenSSL>=0.14,!=17.2.0 ; python_full_version < '2.7.9'
-
-idna>=2.0.0 ; python_full_version < '2.7.9'
-# https://github.com/eliben/pycparser/issues/147
-pycparser != 2.14
+requests[security] ; python_full_version > '2.7.6' and python_full_version < '2.7.9'
future>=0.15.0 ; python_full_version < '2.7.3'
diff --git a/setup.py b/setup.py
index 2bf1b9c..4494d88 100644
--- a/setup.py
+++ b/setup.py
@@ -131,13 +131,14 @@
if PYTHON_VERSION == (2, 7, 2):
dependencies.append('future>=0.15.0') # Bug fixes for HTMLParser
- if PYTHON_VERSION < (2, 7, 9):
+ if (2, 7, 6) < PYTHON_VERSION < (2, 7, 9):
# Python versions before 2.7.9 will cause urllib3 to trigger
# InsecurePlatformWarning warnings for all HTTPS requests. By
# installing with security extras, requests will automatically set
# them up and the warnings will stop. See
# <https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning>
# for more details.
+ # There is no secure version of cryptography for Python 2.7.6 or older.
dependencies += extra_deps['security']
script_deps['data_ingestion.py'] = extra_deps['csv']
To view, visit change 458823. To unsubscribe, or for help writing mail filters, visit settings.