[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#780169: marked as done (unblock: package youtube-dl/2014.08.05-1jessie0.1)

Your message dated Wed, 11 Mar 2015 10:08:35 +0100
with message-id <20150311090834.GA1199@ugent.be>
and subject line Re: Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1
has caused the Debian Bug report #780169,
regarding unblock: package youtube-dl/2014.08.05-1jessie0.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
780169: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780169
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

youtube-dl 2014.08.05-1 requires SSLv3 in https requests, and doesn't use
protocol negotiation. See #780059. This, besides being bad, and not very
future-proof has caused complete incompatibility with Python 2.7.9,
which dropped the PROTOCOL_SSLv3 attribute from the ssl module.

This bug has been fixed, by the upstream, in unstable. But at this point
in the freeze, I doubt you'd consider letting the latest upstream
version migrate to testing.

So, please consider this t-p-u upload:

diff -Nru youtube-dl-2014.08.05/debian/changelog youtube-dl-2014.08.05/debian/changelog
--- youtube-dl-2014.08.05/debian/changelog	2014-08-06 11:43:31.000000000 -0700
+++ youtube-dl-2014.08.05/debian/changelog	2015-03-09 17:15:30.000000000 -0700
@@ -1,3 +1,11 @@
+youtube-dl (2014.08.05-1jessie0.1) testing; urgency=medium
+
+  * Non-maintainer upload.
+  * Use SSL protocol negotiation, rather than requiring SSLv3 (which is no
+    longer supported in python 2.7.9). Closes: #780059.
+
+ -- Stefano Rivera <stefanor@debian.org>  Mon, 09 Mar 2015 17:14:45 -0700
+
 youtube-dl (2014.08.05-1) unstable; urgency=medium
 
   * Imported Upstream version 2014.08.05.
diff -Nru youtube-dl-2014.08.05/debian/patches/no-sslv3 youtube-dl-2014.08.05/debian/patches/no-sslv3
--- youtube-dl-2014.08.05/debian/patches/no-sslv3	1969-12-31 16:00:00.000000000 -0800
+++ youtube-dl-2014.08.05/debian/patches/no-sslv3	2015-03-09 17:09:54.000000000 -0700
@@ -0,0 +1,34 @@
+Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3
+ In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't
+ support insecure versions.
+ Upstream use Python's default SSL handshake since
+ https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8
+ And switches to TLSv1 in legacy paths in
+ https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514
+Author: Stefano Rivera <stefanor@debian.org>
+Bug-Debian: https://bugs.debian.org/780059
+Forwarded: not-needed
+Last-Update: 2015-03-08
+
+--- a/youtube_dl/utils.py
++++ b/youtube_dl/utils.py
+@@ -588,17 +588,14 @@
+                 if getattr(self, '_tunnel_host', False):
+                     self.sock = sock
+                     self._tunnel()
+-                try:
+-                    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
+-                except ssl.SSLError:
+-                    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
++                self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
+ 
+         class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler):
+             def https_open(self, req):
+                 return self.do_open(HTTPSConnectionV3, req)
+         return HTTPSHandlerV3(**kwargs)
+     else:
+-        context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
++        context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+         context.verify_mode = (ssl.CERT_NONE
+                                if opts_no_check_certificate
+                                else ssl.CERT_REQUIRED)
diff -Nru youtube-dl-2014.08.05/debian/patches/series youtube-dl-2014.08.05/debian/patches/series
--- youtube-dl-2014.08.05/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
+++ youtube-dl-2014.08.05/debian/patches/series	2015-03-08 13:43:36.000000000 -0700
@@ -0,0 +1 @@
+no-sslv3

--- End Message ---
--- Begin Message --- 
Hi,

On Wed, Mar 11, 2015 at 06:48:56AM +0200, Stefano Rivera wrote:
> Subject: Bug#780169: jessie-pu: package youtube-dl/2014.08.05-1jessie0.1

Unblocked.

> > Please use 2014.08.05-1+deb8u1 as version number.
> 
> Lintian doesn't think that's correct for an NMU, but using it anyway.
> 
> Also, submitted a patch to developers-reference #768426.
> 
> > and jessie as a distribution (instead of testing).
> 
> Submitted #780243 (with a patch) to developers-reference.

Thanks.

Cheers,

Ivo

--- End Message ---
Reply to: