Fix RandomPool Depreciation Warning from pycrypto

This is caused by having a new PyCrypto but not a new Paramiko. Paramiko was using an api in PyCrypto that they strongly deprecated in new code.

IIRC, this has already been documented, and somebody submitted a patch upstream, but paramiko hasn't responded yet (a month or two later).

Maybe we just need to push that into the ppa?

Arguably this is a dupe of bug #271791, but I'm leaving it here, because we probably need to do something with the bzr infrastructure.

Note that running *release* versions of bzr will automatically suppress deprecation warnings like this.

Also, it might be possible to just install openssh-client which would then be used as the primary ssh handler, rather than using paramiko internally. I'm not 100% sure that this will silence the deprecation warning, because it may trigger on import, rather than just on actual use.

Why is bug #271791 not a security vulnerability in Ubuntu?

Is it sufficient to apply http://bazaar.launchpad.net/%7Evcs-imports/paramiko/no-randompool/diff/534 to paramiko package in ubuntu package to fix this?

Is it the same as http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706 with assigned CVE-2008-0299?

The very fact the warning is printed means there's no security vulnerability, because as it says it's about problems with an older version of pycrypto. The CVE is about a different but related issue with paramiko. Neither Ubuntu or the Bazaar installers ship vulnerable versions of either package.

Making the scary but pointless warning go away means applying that patch to paramiko, which we do where possible, but will mean getting it applied to the (unresponsive) upstream before it's picked up by some distros.

> Is it sufficient to apply http://bazaar.launchpad.net/%7Evcs-imports/paramiko/no-randompool/diff/534 to paramiko package in ubuntu package to fix this?

I think we should apply that fix in Ubuntu. That is not as good as it being in a new upstream release, but it's better than fixing it only in Bazaar.

I'm going to retarget this bug to the paramiko package in Ubuntu.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...
> + To summarize this for Ubuntu: maverick's paramiko always gives this
> + warning because it uses an old api in pycrypto. (I presume the same is
> + true in natty.) There is no actual bug as such, because Ubuntu has a
> + newer pycrypto. There is no upstream paramiko fix for this and the
> + upstream is unresponsive. We would like to apply in the package a fix
> + that will update it to use the new api so there is no warning.
>

Note that there shouldn't be a warning for released versions of bzr,
because we squash all deprecation warnings at runtime. There will only
be warnings for people who combine paramiko + new pycrypto + beta bzr.

That said, we really should get the updated paramiko anyway.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz1EgAACgkQJdeBCYSNAAOaWgCgvHIyoUGayMPf3RfKlvBnHhg8
EiUAn0mzfzMw2EcLGSrz2Irgjwv0OLc5
=AsMS
-----END PGP SIGNATURE-----

On 1 December 2010 02:02, John Arbash Meinel <email address hidden> wrote:
> Note that there shouldn't be a warning for released versions of bzr,
> because we squash all deprecation warnings at runtime. There will only
> be warnings for people who combine paramiko + new pycrypto + beta bzr.
>
> That said, we really should get the updated paramiko anyway.

Does that mean (contra the previous comment) there is in fact a
released paramiko without this problem? Is it in Natty? If so I'd be
content to just close this.

--
Martin

On 11/30/2010 06:10 PM, Martin Pool wrote:
> On 1 December 2010 02:02, John Arbash Meinel <email address hidden> wrote:
>> Note that there shouldn't be a warning for released versions of bzr,
>> because we squash all deprecation warnings at runtime. There will only
>> be warnings for people who combine paramiko + new pycrypto + beta bzr.
>>
>> That said, we really should get the updated paramiko anyway.
>
> Does that mean (contra the previous comment) there is in fact a
> released paramiko without this problem? Is it in Natty? If so I'd be
> content to just close this.
>
> --
> Martin
>

 There is no current release of paramiko that has been updated to use
whatever the new non-deprecated method that I'm aware of as I've been
looking for one to get prepared for Debian.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/30/2010 5:10 PM, Martin Pool wrote:
> On 1 December 2010 02:02, John Arbash Meinel <email address hidden> wrote:
>> Note that there shouldn't be a warning for released versions of bzr,
>> because we squash all deprecation warnings at runtime. There will only
>> be warnings for people who combine paramiko + new pycrypto + beta bzr.
>>
>> That said, we really should get the updated paramiko anyway.
>
> Does that mean (contra the previous comment) there is in fact a
> released paramiko without this problem? Is it in Natty? If so I'd be
> content to just close this.
>
> --
> Martin
>

bzr startup suppresses all deprecation warnings if it is a release version.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz16eMACgkQJdeBCYSNAAN5gQCgvpXMox1qzebqbjrpR1QYL/us
JY8AnisS3ih8Vi7vXJkTB8oPBIhGU0I1
=3y5G
-----END PGP SIGNATURE-----

On 1 December 2010 17:23, John Arbash Meinel <email address hidden> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/30/2010 5:10 PM, Martin Pool wrote:
>> On 1 December 2010 02:02, John Arbash Meinel <email address hidden> wrote:
>>> Note that there shouldn't be a warning for released versions of bzr,
>>> because we squash all deprecation warnings at runtime. There will only
>>> be warnings for people who combine paramiko + new pycrypto + beta bzr.
>>>
>>> That said, we really should get the updated paramiko anyway.
>>
>> Does that mean (contra the previous comment) there is in fact a
>> released paramiko without this problem?  Is it in Natty?  If so I'd be
>> content to just close this.
>>
>> --
>> Martin
>>
>
>
> bzr startup suppresses all deprecation warnings if it is a release version.

I know, I was just wondering what you meant by "the updated paramiko":
a patched version or a new upstream release.

It seems to me we should get the patch into Debian and from there into Natty.

--
Martin

On 12/1/2010 1:40 AM, Martin Pool wrote:
> I know, I was just wondering what you meant by "the updated paramiko":
> a patched version or a new upstream release.
>
> It seems to me we should get the patch into Debian and from there into
> Natty.

Just to be a little selfish here, the same problem affects Windows and
Mac OS X users.

For OS X, I patch paramiko automatically during the installer build to
suppress the deprecation warnings. It would be nice to have a proper fix
made to upstream paramiko though.

Ciao,
Gordon

On 2 December 2010 01:27, Gordon Tyler <email address hidden> wrote:
> On 12/1/2010 1:40 AM, Martin Pool wrote:
>> I know, I was just wondering what you meant by "the updated paramiko":
>> a patched version or a new upstream release.
>>
>> It seems to me we should get the patch into Debian and from there into
>> Natty.
>
> Just to be a little selfish here, the same problem affects Windows and
> Mac OS X users.
>
> For OS X, I patch paramiko automatically during the installer build to
> suppress the deprecation warnings. It would be nice to have a proper fix
> made to upstream paramiko though.

I think it would be reasonable and good to change bzr so that it
suppresses this particular warning even in development/beta releases.
Showing it is not helping anyone. In fact let's say the bzr side of
this bug is to do just that.

--
Martin

This bug was fixed in the package paramiko - 1.7.6-5ubuntu1

---------------
paramiko (1.7.6-5ubuntu1) natty; urgency=low

  [ Jelmer Vernooij ]

  * Avoid deprecated RandomPool. Patch by Gary van der Merwe. Closes:
    #576697, LP: #271791, LP: #682600.
  * Switch to source format 3.0 (quilt).

  [ Andrew Bennetts ]

  * Try connecting to each available address family until one succeeds.
    LP: #579530
 -- Jelmer Vernooij <email address hidden> Fri, 14 Jan 2011 06:54:41 +0100