Open tcompa opened 10 months ago
This seems quite harmless.
In https://foss.heptapod.net/python-libs/passlib/-/blob/branch/stable/passlib/handlers/bcrypt.py, there is this block:
try:
version = _bcrypt.__about__.__version__
except:
log.warning("(trapped) error reading bcrypt version", exc_info=True)
version = '<unknown>'
but the underlying bcrypt behavior changed when passing from 4.0.1 to 4.1.1:
$ pip install bcrypt==4.0.1
Collecting bcrypt==4.0.1
Using cached bcrypt-4.0.1-cp36-abi3-manylinux_2_28_x86_64.whl (593 kB)
Installing collected packages: bcrypt
Attempting uninstall: bcrypt
Found existing installation: bcrypt 4.1.1
Uninstalling bcrypt-4.1.1:
Successfully uninstalled bcrypt-4.1.1
Successfully installed bcrypt-4.0.1
$ python -c "import bcrypt; print(bcrypt.__about__.__version__)"
4.0.1
$ python -c "import bcrypt; print(bcrypt.__version__)"
4.0.1
$ pip install bcrypt==4.1.1
Collecting bcrypt==4.1.1
Using cached bcrypt-4.1.1-cp37-abi3-manylinux_2_28_x86_64.whl (699 kB)
Installing collected packages: bcrypt
Attempting uninstall: bcrypt
Found existing installation: bcrypt 4.0.1
Uninstalling bcrypt-4.0.1:
Successfully uninstalled bcrypt-4.0.1
Successfully installed bcrypt-4.1.1
$ python -c "import bcrypt; print(bcrypt.__about__.__version__)"
Traceback (most recent call last):
File "<string>", line 1, in <module>
AttributeError: module 'bcrypt' has no attribute '__about__'
$ python -c "import bcrypt; print(bcrypt.__version__)"
4.1.1
Ref https://foss.heptapod.net/python-libs/passlib/-/issues/190 (although it should be noted that passlib is not actively maintained at the moment).
bcrypt is now pinned to 4.0.1, and the issue remains open as a reminder for unpinning
For the record, this also blocks the update of fastapi-users to v13.0.0.
EDIT: we are now pinning bcrypt to 4.0.1. This issue remain open as a reminder to unpin it, as soon as the issue is fixed upstream.
With python 3.10.12 and fractal-server 1.4.0a8.
this is with
The warning is gone if we bring back
bcrypt
to 4.0.1:Note that 4.1.0 had some issues (ref https://github.com/pyca/bcrypt/issues/677), but it was indeed yanked.