CryptographyDeprecationWarning when running autorsyncbackup on Debian Buster

[mbchristoff]

When running autorsyncbackup on Debian Buster using Python 3.7 in debug mode these errors will pop up on screen.

/usr/lib/python3/dist-packages/paramiko/kex_ecdh_nist.py:39: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
  m.add_string(self.Q_C.public_numbers().encode_point())
/usr/lib/python3/dist-packages/paramiko/kex_ecdh_nist.py:96: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.curve, Q_S_bytes
/usr/lib/python3/dist-packages/paramiko/kex_ecdh_nist.py:111: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
  hm.add_string(self.Q_C.public_numbers().encode_point())
/usr/lib/python3/dist-packages/paramiko/ecdsakey.py:164: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.ecdsa_curve.curve_class(), pointinfo
INFO: Successfully connected to host via ssh protocol (hostname.fqdn.com)

Autorsyncbackup was installed using the guide in Readme.md on a vanilla up-to-date Debian Buster install.
Should you need any further information, please do not hesitate to contact me.

@sebastic Does this warning also occur on your installation?

[sebastic]

Yes, it occurs for everything that uses paramiko on buster. It needs changes to accommodate python-cryptography >= 2.4.

Try python3-paramiko from buster-backports.

[teunis90]

@sebastic maybe the wrong person to ask given your Debian background. But what if we use pip packages over Debian packages? Can we then avoid using backports?

Personally I don't like mixing the two of them. What would be the cleanest solution? Should be update the docs?

[sebastic]

The cleanest solution is keep using Debian packages for the autorsyncbackup dependencies, with newer versions provided in buster-backports.

Alternatively you can use pip3 to install newer versions, like we needed to do in the Travis config for Ubuntu bionic. Since that's contained within their VMs I don't mind as much, for production servers I recommend against mixing Debian packages and modules installed from PyPI.

If people are really bothered by this warning we could suppress it in autorsyncbackup, I've done that for many projects at $DAYJOB that run on buster.

[sebastic]

This should work to suppress the warning:

diff --git a/src/lib/command.py b/src/lib/command.py
index bdddde9..bcd2ef9 100644
--- a/src/lib/command.py
+++ b/src/lib/command.py
@@ -1,12 +1,20 @@
 import socket
 import subprocess
 import time
+import warnings
 
+from cryptography.utils import CryptographyDeprecationWarning
 import paramiko
 
 from .logger import logger
 
 
+warnings.filterwarnings(
+                         action='ignore',
+                         category=CryptographyDeprecationWarning,
+                       )
+
+
 class command():
 
     def checkRemoteHostViaSshProtocol(self, job,
diff --git a/src/lib/rsync.py b/src/lib/rsync.py
index c56374f..d93fd0d 100644
--- a/src/lib/rsync.py
+++ b/src/lib/rsync.py
@@ -1,13 +1,21 @@
 import socket
 import subprocess
 import time
+import warnings
 
+from cryptography.utils import CryptographyDeprecationWarning
 import paramiko
 
 from models.config import config
 from lib.logger import logger
 
 
+warnings.filterwarnings(
+                         action='ignore',
+                         category=CryptographyDeprecationWarning,
+                       )
+
+
 class rsync():
 
     def checkRemoteHost(self, job):

[teunis90]

I decided not to change anything since you only see this message while debugging on the CLI. Everything else is working fine.

@sebastic thanks for updating this ticket. It's good to know it will be resolved in the next Debian release.

[teunis90]

@sebastic I just realized we get every night e-mails with the deprecation warning. In our effort to reduce the number of emails we get, I would propose to suppress the deprecation warning till the next major Debian release. Once we go to Debian 11, we can remove the suppression.

What do you think?

[sebastic]

That's pretty much what we'll do for the various scripts where we suppressed the warning. Applying the patch I proposed should do.

[teunis90]

I have 5 servers with an installation. I rather add it to src then patch all 5 of them. Can you commit your patch from one of your servers?

[sebastic]

I'm not working at $DAYJOB today, so I just committed the patch to my fork.

On Tuesday I'll be able to test the changes at $DAYJOB. If you're able to test before then, please do.

[teunis90]

Thanks, I saw your commit. I'll try to test it today.