Re: Dependency on python-oauth2
On 02/10/2014 02:41 AM, Iain R. Learmonth wrote:
> Hi,
>
> I am attempting to get a package into Debian. I have it packaged and
> accepted into unstable but due to a dependency on python-oauth2 it has
> been held back from entering testing.
>
> https://security-tracker.debian.org/tracker/source-package/python-oauth2
>
> There are two open security problems with python-oauth2. It has been
> removed from testing also and will not be in the next stable release of
> Debian unless these bugs are fixed.
>
> irl@orbiter:~$ apt-cache rdepends python-oauth2
> python-oauth2
> Reverse Depends:
> turses
> python-django-social-auth
> python-keystone
> python-django-oauth-plus
> python-djangorestframework
> python-django-social-auth
>
> There are also a number of packages that depend on python-oauth2 that
> will disappear on the next stable release.
>
> Is there currently any effort to patch these problems in python-oauth2?
> I notice these bugs were filed on the 13th Sep 2013. There has been no
> activity in the python-oauth2 on GitHub in over 2 years as far as I can see.
>
> If there is no effort to fix these bugs, could someone recommend an
> alternative package to depend on to provide OAuth2 client functionality
> for a Python module? I think upstream would likely be willing to
> refactor for the new library.
>
> Thanks,
> Iain.
Hi,
python-oauth2 is indeed not maintained anymore upstream, and has
security problems. As a consequence, I worked out a patch for keystone
so that it uses oauthlib instead. I would recommend that you do the
same, and that you do not rely on oauth2. Note that the API of oauthlib
is different from oauth2, even though they are supposed to do the same
kind of thing.
I hope this helps,
Cheers,
Thomas Goirand (zigo)
Reply to: