Merge branch 'main' of github.com:sybrenstuvel/python-rsa into multip…

…rime

.github/workflows/tests.yml

@@ -0,0 +1,36 @@
+name: Test Python-RSA
+
+on: [push, pull_request, workflow_dispatch]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version:
+          - "3.8"
+          - "3.9"
+          - "pypy3.9"
+          - "3.10"
+          - "pypy3.10"
+          - "3.11"
+          - "3.12"
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+          allow-prereleases: true
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install poetry
+          poetry install
+      - name: Run tox
+        # Run tox using the version of Python in `PATH`
+        run: poetry run tox -e py

.gitignore

@@ -19,3 +19,4 @@ __pycache__/
 
 /build/
 /doc/_build/
+.vscode/settings.json

.travis.yml

@@ -6,19 +6,18 @@ cache: pip
 # See: https://github.com/travis-ci/travis-ci/issues/3024
 
 python:
-  - "3.6"
-  - "3.7"
   - "3.8"
   - "3.9"
-  - "3.10-dev"
+  - "3.10"
+  - "3.11"
 
 install:
   - pip install -U pip setuptools  # https://github.com/pypa/virtualenv/issues/1630
   - pip install poetry
   - poetry install
 
 script:
-  - poetry run py.test tests/
+  - poetry run pytest tests/
 
 after_success:
   - poetry run coveralls

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Python-RSA changelog
 
+## Version 4.10 - in development
+
+- Drop support for Python 3.6 ([#209](https://github.com/sybrenstuvel/python-rsa/pull/209))
+  and declare support for 3.11 ([#208](https://github.com/sybrenstuvel/python-rsa/pull/208)).
+- Upgrade `pytest` dependency to fix a [security issue](https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715).
+- Upgrade `pytest-cov` as well, for good measure.
+- Upgrade MyPy ([#211](https://github.com/sybrenstuvel/python-rsa/issues/211)).
+
 ## Version 4.9 - release 2022-07-20
 
 - Remove debug logging from `rsa/key.py`

README.md

@@ -24,7 +24,9 @@ licensed under the [Apache License, version 2.0](https://www.apache.org/licenses
 
 ## Security
 
-Because of how Python internally stores numbers, it is very hard (if not impossible) to make a pure-Python program secure against timing attacks. This library is no exception, so use it with care. See https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ for more info.
+Because of how Python internally stores numbers, it is not possible to make a pure-Python program secure against timing attacks. This library is no exception, so use it with care. See https://github.com/sybrenstuvel/python-rsa/issues/230 and https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ for more info.
+
+For instructions on how to best report security issues, see our [Security Policy](https://github.com/sybrenstuvel/python-rsa/blob/main/SECURITY.md).
 
 ## Setup of Development Environment
 
@@ -64,13 +66,8 @@ index-servers =
 
 ```
 . ./.venv/bin/activate
-pip install twine
 
 poetry build
-twine check dist/rsa-4.9.tar.gz dist/rsa-4.9-*.whl
-twine upload -r rsa dist/rsa-4.9.tar.gz dist/rsa-4.9-*.whl
+twine check dist/rsa-4.10-dev0.tar.gz dist/rsa-4.10-dev0-*.whl
+twine upload -r rsa dist/rsa-4.10-dev0.tar.gz dist/rsa-4.10-dev0-*.whl
 ```
-
-The `pip install twine` is necessary as Python-RSA requires Python >= 3.6, and
-Twine requires at least version 3.7. This means Poetry refuses to add it as
-dependency.

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the latest release.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+Please disclose it by email to <[email protected]>.
+
+This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be handled and/or disclosed in a best effort base.

doc/conf.py

@@ -43,8 +43,8 @@
 master_doc = 'index'
 
 # General information about the project.
-project = u'Python-RSA'
-copyright = u'2011-2019, Sybren A. Stüvel'
+project = 'Python-RSA'
+copyright = '2011-2019, Sybren A. Stüvel'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
@@ -180,8 +180,8 @@
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title, author, documentclass [howto/manual]).
 latex_documents = [
-    ('index', 'Python-RSA.tex', u'Python-RSA Documentation',
-     u'Sybren A. Stüvel', 'manual'),
+    ('index', 'Python-RSA.tex', 'Python-RSA Documentation',
+     'Sybren A. Stüvel', 'manual'),
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
@@ -213,8 +213,8 @@
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    ('index', 'python-rsa', u'Python-RSA Documentation',
-     [u'Sybren A. Stüvel'], 1)
+    ('index', 'python-rsa', 'Python-RSA Documentation',
+     ['Sybren A. Stüvel'], 1)
 ]
 
 todo_include_todos = True

doc/installation.rst

@@ -25,7 +25,7 @@ GitHub. It also hosts the `issue tracker`_.
 Dependencies
 ------------
 
-Python-RSA is compatible with Python versions 3.5 and newer. The last
+Python-RSA is compatible with Python versions 3.8 and newer. The last
 version with Python 2.7 support was Python-RSA 4.0.
 
 Python-RSA has very few dependencies. As a matter of fact, to use it