On 4/29/20 10:31 AM, Paul Howarth wrote:
>Hi Lumir,
>
>On Wed, 29 Apr 2020 07:35:43 +0200
>Lumir Balhar <lbalhar(a)redhat.com> wrote:
>
>>Hello.
>>
>>I'd like to switch python-dns crypto backend from pycryptodomex and
>>ecdsa to python-cryptography. Upstream already did the same in master
>>branch:
https://github.com/rthalley/dnspython/pull/449
>>
>>But, because python2-cryptography is not available in Fedora anymore,
>>this change will disable DNSSEC functionality in python2-dns. There
>>are only two packages depending on python2-dns: mailman and
>>trac-spamfilter-plugin. I did a check and rebuild of both of them and
>>it seems that they both work with the new version and there is no
>>usage of DNSSEC in their codebases. COPR:
>>https://copr.fedorainfracloud.org/coprs/lbalhar/dns/
>>
>>PR:
https://src.fedoraproject.org/rpms/python-dns/pull-request/5
>>
>>If you think we should not merge the PR, let us know rather sooner
>>than later.
>No objections from me (trac-spamfilter-plugin maintainer); it uses
>python-dns for IP blacklist lookups and I wouldn't be surprised if
>mailman did the same.
Great!
>On the other hand, maybe the crypto backend could be changed for Python
>3 and not for the Python 2 version? I would hope that the Python 2
>version wouldn't need to be maintained for too much longer anyway.
That would mean either ship two different codebases from one SRPM
(python-dns) or create a new SRPM just for python2-dns and use old
codebase there. The first one is (in my opinion) a bad idea and would
make the spec file ugly. Second solution is kinda lot of work for
nothing. So I hope nobody will be affected by missing DNSSEC in
python2-dns :)
Could you please add a sentence like 'Note this library has no DNSSEC
support' to python2-dns subpackage description?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland