From 38ffa207ba3c7fec11cef52bdce316523b1d79cd Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Thu, 27 May 2021 18:39:48 +0530 Subject: [PATCH] Fixes #5898 Adds latest cryptography This commit brings in the rust compiler toolchain during the package build and also updates the cryptography package to the latest 3.4.7 --- .../tasks/main.yml | 10 +++++ .../tasks/translations.yml | 2 + .../securedrop-app-code-requirements.in | 9 +---- .../securedrop-app-code-requirements.txt | 37 +++++++------------ 4 files changed, 27 insertions(+), 31 deletions(-) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml index 09ddab43c8f..da7c49f3d61 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml @@ -38,6 +38,15 @@ rm -f /usr/share/python-wheels/setuptools-*.whl mv /tmp/securedrop-app-code-requirements-download/setuptools-*.whl /usr/share/python-wheels/ +- name: Get rustup + command: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs --output /tmp/rustup.sh + +- name: Install Rust compiler + command: sh /tmp/rustup.sh --default-toolchain=1.52.1 -y + +- name: Add the path to bash + command: echo "source $HOME/.cargo/env" >> $HOME/.bashrc + - include: sass.yml - include: translations.yml @@ -121,6 +130,7 @@ chdir: "{{ securedrop_app_code_deb_dir }}" environment: DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs" + PATH: /root/.cargo/bin:{{ ansible_env.PATH }} - name: Find newly built Debian package find: diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml index d2dd2a4f01b..2076e04e0e1 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml @@ -6,6 +6,8 @@ python3 -m venv /tmp/securedrop-app-code-i18n-ve && /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/translation-requirements.txt && /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt + environment: + PATH: /root/.cargo/bin:{{ ansible_env.PATH }} tags: - pip diff --git a/securedrop/requirements/python3/securedrop-app-code-requirements.in b/securedrop/requirements/python3/securedrop-app-code-requirements.in index bbcc42adbae..addfd3dee63 100644 --- a/securedrop/requirements/python3/securedrop-app-code-requirements.in +++ b/securedrop/requirements/python3/securedrop-app-code-requirements.in @@ -2,13 +2,8 @@ alembic argon2_cffi>=20.1.0 cffi>=1.14.2 -# The next release of cryptography after 3.2.1 will remove support for -# OpenSSL 1.0.2, which is what we have on Xenial. If we're not on -# Focal the next time the following requirement needs to be updated, -# we will have to consider bundling a binary wheel of cryptography in -# the securedrop-app-code package, so it includes a supported version -# of OpenSSL. -cryptography>=3.2 +# This version needs Rust for compilation. +cryptography>=3.4.7 Flask-Assets Flask-Babel diff --git a/securedrop/requirements/python3/securedrop-app-code-requirements.txt b/securedrop/requirements/python3/securedrop-app-code-requirements.txt index 4936b85450c..c9d1c9de354 100644 --- a/securedrop/requirements/python3/securedrop-app-code-requirements.txt +++ b/securedrop/requirements/python3/securedrop-app-code-requirements.txt @@ -68,29 +68,19 @@ click==6.7 \ # via # flask # rq -cryptography==3.2.1 \ - --hash=sha256:07ca431b788249af92764e3be9a488aa1d39a0bc3be313d826bbec690417e538 \ - --hash=sha256:13b88a0bd044b4eae1ef40e265d006e34dbcde0c2f1e15eb9896501b2d8f6c6f \ - --hash=sha256:32434673d8505b42c0de4de86da8c1620651abd24afe91ae0335597683ed1b77 \ - --hash=sha256:3cd75a683b15576cfc822c7c5742b3276e50b21a06672dc3a800a2d5da4ecd1b \ - --hash=sha256:4e7268a0ca14536fecfdf2b00297d4e407da904718658c1ff1961c713f90fd33 \ - --hash=sha256:545a8550782dda68f8cdc75a6e3bf252017aa8f75f19f5a9ca940772fc0cb56e \ - --hash=sha256:55d0b896631412b6f0c7de56e12eb3e261ac347fbaa5d5e705291a9016e5f8cb \ - --hash=sha256:5849d59358547bf789ee7e0d7a9036b2d29e9a4ddf1ce5e06bb45634f995c53e \ - --hash=sha256:6dc59630ecce8c1f558277ceb212c751d6730bd12c80ea96b4ac65637c4f55e7 \ - --hash=sha256:7117319b44ed1842c617d0a452383a5a052ec6aa726dfbaffa8b94c910444297 \ - --hash=sha256:75e8e6684cf0034f6bf2a97095cb95f81537b12b36a8fedf06e73050bb171c2d \ - --hash=sha256:7b8d9d8d3a9bd240f453342981f765346c87ade811519f98664519696f8e6ab7 \ - --hash=sha256:a035a10686532b0587d58a606004aa20ad895c60c4d029afa245802347fab57b \ - --hash=sha256:a4e27ed0b2504195f855b52052eadcc9795c59909c9d84314c5408687f933fc7 \ - --hash=sha256:a733671100cd26d816eed39507e585c156e4498293a907029969234e5e634bc4 \ - --hash=sha256:a75f306a16d9f9afebfbedc41c8c2351d8e61e818ba6b4c40815e2b5740bb6b8 \ - --hash=sha256:bd717aa029217b8ef94a7d21632a3bb5a4e7218a4513d2521c2a2fd63011e98b \ - --hash=sha256:d25cecbac20713a7c3bc544372d42d8eafa89799f492a43b79e1dfd650484851 \ - --hash=sha256:d26a2557d8f9122f9bf445fc7034242f4375bd4e95ecda007667540270965b13 \ - --hash=sha256:d3545829ab42a66b84a9aaabf216a4dce7f16dbc76eb69be5c302ed6b8f4a29b \ - --hash=sha256:d3d5e10be0cf2a12214ddee45c6bd203dab435e3d83b4560c03066eda600bfe3 \ - --hash=sha256:efe15aca4f64f3a7ea0c09c87826490e50ed166ce67368a68f315ea0807a20df +cryptography==3.4.7 \ + --hash=sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d \ + --hash=sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959 \ + --hash=sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6 \ + --hash=sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873 \ + --hash=sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2 \ + --hash=sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713 \ + --hash=sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1 \ + --hash=sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177 \ + --hash=sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250 \ + --hash=sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca \ + --hash=sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d \ + --hash=sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9 # via -r requirements/python3/securedrop-app-code-requirements.in flask-assets==0.12 \ --hash=sha256:6031527b89fb3509d1581d932affa5a79dd348cfffb58d0aef99a43461d47847 @@ -248,7 +238,6 @@ six==1.11.0 \ --hash=sha256:832dc0e10feb1aa2c68dcc57dbb658f1c7e65b9b61af69048abc87a2db00a0eb # via # argon2-cffi - # cryptography # python-dateutil # qrcode sqlalchemy==1.3.3 \