--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
youtube-dl 2014.08.05-1 requires SSLv3 in https requests, and doesn't use
protocol negotiation. See #780059. This, besides being bad, and not very
future-proof has caused complete incompatibility with Python 2.7.9,
which dropped the PROTOCOL_SSLv3 attribute from the ssl module.
This bug has been fixed, by the upstream, in unstable. But at this point
in the freeze, I doubt you'd consider letting the latest upstream
version migrate to testing.
So, please consider this t-p-u upload:
diff -Nru youtube-dl-2014.08.05/debian/changelog youtube-dl-2014.08.05/debian/changelog
--- youtube-dl-2014.08.05/debian/changelog 2014-08-06 11:43:31.000000000 -0700
+++ youtube-dl-2014.08.05/debian/changelog 2015-03-09 17:15:30.000000000 -0700
@@ -1,3 +1,11 @@
+youtube-dl (2014.08.05-1jessie0.1) testing; urgency=medium
+
+ * Non-maintainer upload.
+ * Use SSL protocol negotiation, rather than requiring SSLv3 (which is no
+ longer supported in python 2.7.9). Closes: #780059.
+
+ -- Stefano Rivera <stefanor@debian.org> Mon, 09 Mar 2015 17:14:45 -0700
+
youtube-dl (2014.08.05-1) unstable; urgency=medium
* Imported Upstream version 2014.08.05.
diff -Nru youtube-dl-2014.08.05/debian/patches/no-sslv3 youtube-dl-2014.08.05/debian/patches/no-sslv3
--- youtube-dl-2014.08.05/debian/patches/no-sslv3 1969-12-31 16:00:00.000000000 -0800
+++ youtube-dl-2014.08.05/debian/patches/no-sslv3 2015-03-09 17:09:54.000000000 -0700
@@ -0,0 +1,34 @@
+Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3
+ In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't
+ support insecure versions.
+ Upstream use Python's default SSL handshake since
+ https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8
+ And switches to TLSv1 in legacy paths in
+ https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514
+Author: Stefano Rivera <stefanor@debian.org>
+Bug-Debian: https://bugs.debian.org/780059
+Forwarded: not-needed
+Last-Update: 2015-03-08
+
+--- a/youtube_dl/utils.py
++++ b/youtube_dl/utils.py
+@@ -588,17 +588,14 @@
+ if getattr(self, '_tunnel_host', False):
+ self.sock = sock
+ self._tunnel()
+- try:
+- self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
+- except ssl.SSLError:
+- self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
++ self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
+
+ class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler):
+ def https_open(self, req):
+ return self.do_open(HTTPSConnectionV3, req)
+ return HTTPSHandlerV3(**kwargs)
+ else:
+- context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
++ context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ context.verify_mode = (ssl.CERT_NONE
+ if opts_no_check_certificate
+ else ssl.CERT_REQUIRED)
diff -Nru youtube-dl-2014.08.05/debian/patches/series youtube-dl-2014.08.05/debian/patches/series
--- youtube-dl-2014.08.05/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
+++ youtube-dl-2014.08.05/debian/patches/series 2015-03-08 13:43:36.000000000 -0700
@@ -0,0 +1 @@
+no-sslv3
--- End Message ---
--- Begin Message ---
Hi,
On Wed, Mar 11, 2015 at 06:48:56AM +0200, Stefano Rivera wrote:
> Subject: Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1
Unblocked.
> > Please use 2014.08.05-1+deb8u1 as version number.
>
> Lintian doesn't think that's correct for an NMU, but using it anyway.
>
> Also, submitted a patch to developers-reference #768426.
>
> > and jessie as a distribution (instead of testing).
>
> Submitted #780243 (with a patch) to developers-reference.
Thanks.
Cheers,
Ivo
--- End Message ---