Opened 4 years ago

Closed 4 years ago

#16948 closed enhancement (fixed)

Download PyCrypto from pypi.python.org for our Gitian builds

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-gitian, TorBrowserTeam201509R, GeorgKoppen201509
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

Using https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz for downloading PyCrypto is annoying like hell on our LXC machine. We could use
https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz which even has a signature for it: https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz.asc

Thanks to isis for spotting this.

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by gk

Description: modified (diff)

comment:2 Changed 4 years ago by gk

Keywords: TorBrowserTeam201509R GeorgKoppen201509 added
Status: newneeds_review

bug_16948 (https://gitweb.torproject.org/user/gk/tor-browser-bundle.git/commit/?h=bug_16948&id=ee65c473f4f5a3bd8ae52d0f5ff0c39bbe3e5162) in my tor-browser-bundle repo has the fix. It resolves the SNI issue (although we hit that for the Go download, too :( ) but is good for reliablity as well as I encountered dlitz.net outages from time to time when trying to build something.

comment:3 Changed 4 years ago by mcs

r=mcs

I assume it does not make sense to use the signature at this time instead of checking a hash?

comment:4 Changed 4 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

We are already doing both! The PyCrypto signature is part of the weak-key-club at the moment. I agree, we could look over that club again and try to decide what a weak key is and treat the member accordingly. For now, leaving the things as is seems not bad to me. Fixed in commit ca56d487d9d59d59e1d7e9b4af760379ac0f876b on master and in commit 8610ac13cda8ba91d2baba93c28c7fd726ca3c7c on maint-5.0

Note: See TracTickets for help on using tickets.