py37-openssl broken dependency

cbrace

cbrace

Hi all,

A pkg upgrade I did yesterday broke my net-p2p/deluge-cli installation. security/py-openssl was upgraded from v19.1.0 to v20.1.0. A dependency of the latter is security/py-cryptography py37-openssl v20 requires v3.2 or higher of the latter. However, py37-cryptography is currently at v2.9.2 in the pkg system. This breaks py37-openssl and hence deluged fails to start. Using pkg, I removed v20 and reinstalled v19 of py37-openssl. deluged now runs again.

For the time being I have locked py37-ssl so that I don't inadvertently upgrade it again with pkg.

Question: is there anything constructive I can do with this information? Should I look up a port maintainer to inform them? Please advise!
 
Looks like it's been noticed and fixed

253711 – security/py-openssl issues while running certbot after 20.0.1 upgrade

bugs.freebsd.org bugs.freebsd.org

You might not have this fix if you're on the quarterly ports branch.

As an aside, this gives me the heebie-jeebies
"If the issue with py-cryptography becoming dependent on a rust toolchain is a blocker, then a compromise might be to update py-cryptography to version 3.3.2 (Released on 2021-02-07) which is the last version before the rust dependency was introduced."
 
You must log in or register to reply here.
Back
Top