Saturday, July 04, 2026

Re: [new] bandit 1.9.4, find common security issues in Python code

Le Fri, Jun 26, 2026 at 09:20:22PM +0200, Caspar Schutijser a écrit : > Hey, > > On Fri, Jun 26, 2026 at 03:45:13PM +0200, landry@openbsd.org wrote: > > here's a quick ('n'dirty?) port for > > https://bandit.readthedocs.io/en/latest/ and its dependency > > https://opendev.org/openstack/stevedore, i've used it on some python > > codebases and it nicely flags potential security issues in the code. > > > > oks/tests/improvements ? > > I tweaked devel/py-stevedore/pkg/DESCR a little bit (remove a stray '_', > add an empty line between the two paragraphs and run it through fmt). > The new file is attached, feel free to use it if you want. > > The indenting of RUN_DEPENDS and TEST_DEPENDS in the bandit Makefile > looks a bit funny, can you fix that? > > make test works fine for the stevedore port, even though there's the > "# missing stestr ?" comment in the Makefile. > https://pypi.org/project/stestr/ suggests that stestr is a tool that can > be used to execute the tests, but apparently the tests also run without? > In that case I guess the comment can be removed. > > In the case of bandit, 3 tests fail because of some missing Python > modules (git, bs4 and sarif_om). Installing py3-beautifulsoup4 solves > the middle one, I'm not sure how to fix the other two. > > Besides that it looks good to me and it works well. thanks for the feedback, i've added the two missing TDEPs we have in ports, now there's only 1 failing test left. I think i've also fixed the other nits, does this look good to import ? thoughts on importing it as security/bandit or security/py-bandit ? Landry

Re: new: net/parla & net/deltachat-rpc-server: DeltaChat instant messaging

Chris Billington wrote: > yaydn@protonmail.com wrote: >> På søndag 28. juni 2026 kl. 12:43, skrev Chris Billington >> <emulti@disroot.org>: >> >>> (As previous mail, but with the extra logs snipped out for clarity). >>> Sorry, I should have done that before. >>> >>> yaydn@protonmail.com wrote: >>>> På torsdag 25. juni 2026 kl. 11:26, skrev Chris Billington >>>> <emulti@disroot.org>: >>>> >>>>> Thanks- my mistake I had forgotten to re-enable that. >>>>> It takes 90 minutes or so to build on my old hardware. >>>>> Uncommenting the BUILD_DEPENDS += databases/sqlcipher should allow you >>>>> to continue testing. >>>>> >>>>> Chris >>>>> >>>> >>>> Also tested on current/amd64 with privsep. >>>> >>>> Tests: >>>> >>>> ===>  Regression tests for deltachat-rpc-server-2.53.0 >>>> warning: `panic` setting is ignored for `bench` profile >>> >>>> test peer_channels::tests::test_can_communicate has been running for >>>> over 60 seconds >>>> test peer_channels::tests::test_can_reconnect has been running for >>>> over 60 seconds >>>> -- >>>> // This is as far as it goes with privsep. I'll leave it overnight to >>>> // make sure. >>>> >>>> >>>> 1/2 parla:storage-quota OK              0.06s >>>> 2/2 parla:markdown      OK              0.02s >>>> >>>> Ok:                2 >>>> Fail:              0 >>>> -- >>>> // Parla's 'make test' completed. >>>> >>>> 'make port-lib-depends-check check-shlib-syms' did not report anything >>>> amiss for either package. >>>> >>>> # TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all/ pkg_add -Dsnap parla >>>> parla-0.5.8: ok >>>> -- >>>> // Installed fine. >>>> >>>> Gave it a quick light test on sway# Ensure system sqlcipher used on >>>> 7.9-release/-stable > MODCARGO_ENV +=         LIBSQLITE3_SYS_USE_PKG_CONFIG=1. Ran natively. >>>> >>>> No nits or grammar/spelling errors that I could see. >>>> >>>> Looks fine other than the aforementioned BUILD_DEPENDS and maybe tests >>>> for deltachat-rpc-server under privsep. >>>> >>>> Hope this helps. May you all have a good one. >>>> -- >>>> yaydn >>>> >>>> >>>>> Mikolaj Kucharski wrote: >>>>>> Hi Chris. >>>>>> >>>>>> Building deltachat-rpc-server failed for me with: >>>>>> >>>>>> I see that sqlcipher is commented out in the Makefile. >>>>>> >>>>>> >>>>>> On Thu, Jun 25, 2026 at 12:12:33PM +0800, Chris Billington wrote: >>>>>>> 1    net/parla: DeltaChat email instant messaging client in >>>>>>> GTK4/Vala >>>>>>> >>>>>>>     upstream: https://github.com/trufae/parla >>>>>>> >>>>>>> 2    net/deltachat-rpc-server: DeltaChat JSON-RPC server in Rust >>>>>>>     (deltachat-rpc-server and deltachat-repl components only) >>>>>>> >>>>>>>     upstream: https://github.com/chatmail/core >>>>>>> >>>>>>> Delta Chat (https://delta.chat) is an encrypted instant messaging >>>>>>> system >>>>>>> with clients for Android/IOS/Desktop. The Desktop client uses >>>>>>> Electron so is >>>>>>> not available for OpenBSD, but the JSON-RPC variant is a lighter >>>>>>> alternative. >>>>>>> >>>>>>> It's possible to use your own email server as a relay but >>>>>>> upstream are >>>>>>> concentrating on providing 'chatmail' servers (default for >>>>>>> registering new >>>>>>> 'accounts', anonymously) to reduce support burden. >>>>>>> >>>>>>> deltachat-rpc-server requires USE_NOEXECONLY to get around issues >>>>>>> with the >>>>>>> awc-lc-rs TLS crate used by default by rustls. It is possible to >>>>>>> patch to >>>>>>> use ring to avoid NOEXECONLY but I guess that's a heavier >>>>>>> maintenance burden >>>>>>> pending awc-lc-sys upstream fixing the issue. >>>>>>> >>>>>>> Tested on amd64 7.9-current and -stable >>>>>>> Testers and comments welcome >>>>>>> >>>>>> >>>>> >>>>> >>> Updated deltachat-rpc-server with the following changes: >>> >>> make: >>> - build only the deltachat-rpc-server package using MODCARGO_BUILD_ARGS. >>> The default build is libdeltachat only, which is a dependency of >>> deltachat-rpc-server. >>> - add MODCARGO_ENV += LIBSQLITE3_SYS_USE_PKG_CONFIG=1 otherwise builds >>> on 7.9-release/stable will link the bundled sqlcipher. cargo.port.mk on >>> current already has this. >>> - remove deltachat-repl (useful only for debugging) to halve build time >>> >>> make fake: >>> - to avoid a full rebuild of both libdeltachat and deltachat-rpc-server >>> set MODCARGO_INSTALL= no, and do-install the deltachat-rpc-server binary >>> built by make >>> >>> make test: >>> - though there is some noise interleaved with tests from sqlcipher that >>> pages are not being decrypted, the decryption clearly works on the final >>> package. Not clear which tests the messages belong to. >>> - make test only builds a temporary libdeltachat. No specific tests for >>> deltachat-rpc-server. All 1087 tests pass, but 'make test' hangs after >>> the last test has been completed ok. >>> - due to above, MODCARGO_TEST= no >>> >>> Parla: no changes. >>> - minor bug: systemtray icon appears when set, but menu items >>> nonfunctional (DBus 'No such method' error). Please test. >>> >>> Tested on 7.9-stable and -current amd64 >>> Testers and comments welcome >>> >>> Chris >>> >> >> Once more under current/amd64 with privsep. >> Build date: 1782827771 - Tue Jun 30 13:56:11 UTC 2026 >> >> Did: >> >> // Built deltachat-rpc-server parla and did tests/checks >> $ cd /usr/ports/net/deltachat-rpc-server/ && make clean=all clean && >> make build package test ; make port-lib-depends-check check-shlib-syms >> >> ===>  Building package for deltachat-rpc-server-2.53.0 >> Create /usr/ports/packages/amd64/all/deltachat-rpc-server-2.53.0.tgz >> Creating package deltachat-rpc-server-2.53.0 >> Link to /usr/ports/packages/amd64/ftp/deltachat-rpc-server-2.53.0.tgz >> ===>  Regression tests for deltachat-rpc-server-2.53.0 >> make: cannot open Makefile. >> *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:3114 >> '/usr/ports/pobj/deltachat-rpc-server-2.53.0/.test_done': @cd >> /usr/ports/pob...) >> *** Error 2 in /usr/ports/net/deltachat-rpc-server >> (/usr/ports/infrastructure/mk/bsd.port.mk:2722 'test': >> @lock=deltachat-rpc-server-2.53.0;...) >> -- >> // Did this thrice. Checks were fine. However, I suspect I am doing >> // something wrong with 'make test'. >> # Ensure system sqlcipher used on 7.9-release/-stable > MODCARGO_ENV +=         LIBSQLITE3_SYS_USE_PKG_CONFIG=1 >> // Reinstalled deltachat-rpc-server >> # TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all/ pkg_add -Dsnap >> -Dinstalled -r deltachat-rpc-server >> deltachat-rpc-server-2.53.0->2.53.0: ok >> -- >> >> // Built parla and did tests/checks >> $ cd /usr/ports/net/parla/ && make clean=all clean && make patch build >> package test ; make port-lib-depends-check check-shlib-syms >> >> ===>  Regression tests for parla-0.5.8 >> exec /usr/bin/env -i LC_CTYPE="en_US.UTF-8" PORTSDIR="/usr/ports" >> LIBTOOL="/usr/bin/libtool" >> PATH='/usr/ports/pobj/parla-0.5.8/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11R6/bin' >> PREFIX='/usr/local'  LOCALBASE='/usr/local' X11BASE='/usr/X11R6' >> CFLAGS='-O2 -pipe -g'  TRUEPREFIX='/usr/local' DESTDIR='' >> HOME='/parla-0.5.8_writes_to_HOME' PICFLAG="-fpic"  BINGRP=bin >> BINOWN=root BINMODE=755 NONBINMODE=644  DIRMODE=755  INSTALL_COPY=-c >> INSTALL_STRIP=  MANGRP=bin MANOWN=root MANMODE=644 >> BSD_INSTALL_PROGRAM="/usr/ports/pobj/parla-0.5.8/bin/install -c  -m >> 755"  BSD_INSTALL_SCRIPT="/usr/ports/pobj/parla-0.5.8/bin/install -c >> -m 755"  BSD_INSTALL_DATA="/usr/ports/pobj/parla-0.5.8/bin/install -c >> -m 644"  BSD_INSTALL_MAN="/usr/ports/pobj/parla-0.5.8/bin/install -c >> -m 644" >> BSD_INSTALL_PROGRAM_DIR="/usr/ports/pobj/parla-0.5.8/bin/install -d -m >> 755"  BSD_INSTALL_SCRIPT_DIR="/usr/ports/pobj/parla-0.5.8/bin/install >> -d -m 755" >> BSD_INSTALL_DATA_DIR="/usr/ports/pobj/parla-0.5.8/bin/install -d -m >> 755"  BSD_INSTALL_MAN_DIR="/usr/ports/pobj/parla-0.5.8/bin/install -d >> -m 755"   /usr/local/bin/meson test --num-processes 1 >> --print-errorlogs -C /usr/ports/pobj/parla-0.5.8/build-amd64 >> ninja: Entering directory `/usr/ports/pobj/parla-0.5.8/build-amd64' >> ninja: no work to do. >> 1/2 parla:storage-quota OK              0.18s >> 2/2 parla:markdown      OK              1.45s >> >> Ok:                2 >> Fail:              0 >> -- >> // The checks had no issues and the tests passed as well. >> >> // Reinstalled parla >> # TRUSTED_PKG_PATH=/usr/ports/packages/amd64/all/ pkg_add -Dsnap >> -Dinstalled -r parla >> parla-0.5.8->0.5.8: ok >> -- >> >> Some space nits in the net/deltachat-rpc-server/Makefile : >> >> .if ${MACHINE_ARCH} == "amd64" >> USE_NOEXECONLY =        Yes >> .endif >> -- >> >> The packages built and installed fine. >> >> Runs natively in sway. Sent some messages back and forth. >> >> Sorry this took so long. I was making sure the other things I was >> building was not part of the reason this was not testing properly >> somehow. I wanted to be thorough. >> >> Hope this helps. May you all have a good one. >> -- >> yaydn >> > Thanks for testing! > > The 'cannot open Makefile' with 'make test' is due to having > MODCARGO_TEST = No in the Makefile. If you comment it, tests should > build and run. > > As mentioned above all 1077 tests pass here on -current. There are some > sqlcipher errors but they seem unrelated to specific tests and the > package clearly works to decrypt. But make test fails to complete, > _after_ the last test passes with 'ok'. That is why I disabled tests. > > Do you see the same with tests re-enabled? > > The following was only added for testing on -stable. Not needed on > -current due to updates in cargo.port.mk. > # Ensure system sqlcipher used on 7.9-release/-stable > MODCARGO_ENV +=         LIBSQLITE3_SYS_USE_PKG_CONFIG=1 > > Regards, > Chris After enabling test debugging with MODCARGO_TEST_ARGS = -- --no-capture, I found the webxdc tests initiate a download of https://apps.testrun.org/webxdc-editor-v3.2.0.xdc Network access is specifically blocked for the _pbuild user in pf.conf After temporarily allowing access to the _pbuild user tests complete with 1 failure: failures: tools::tools_tests::test_maybe_warn_on_outdated test result: FAILED. 1085 passed; 1 failed; 1 ignored; 0 measured; 0 filtered out; finished in 214.78s test_maybe_warn_on_outdated is to check if the DC library is an old version. It is a time-based test, comparing release timestamp and timestamp_now. Initial log contains a warning that a failure may be a false positive due to multi threading, but on a rerun with MODCARGO_TEST_ARGS = -- --no-capture --test-threads 1 it still fails. thread 'tools::tools_tests::test_maybe_warn_on_outdated' (298851) panicked at src/tools/tools_tests.rs:453:5: assertion `left == right` failed left: 1 right: 0 452 let chats = Chatlist::try_load(&t, 0, None, None).await.unwrap(); 453 assert_eq!(chats.len(), 0); Probably not catastrophic. However, since network access during port build is not allowed, MODCARGO_TEST=no is appropriate. Regards Chris