Specifically, drop support for Python versions older than 3.7, including
Python 2.x.
All of those versions are well beyond their official end-of-life, and
given this is a security-related project, it's reasonable to expect
users to run it in a modern Python environment.
* Remove Travis Python 3.7 hack
No longer necessary: 3.7 is supported out-of-the-box
* Add support for Python 3.8
And explicitly document in setup.py
* "Upgrade base Docker image to Python 3.8"a
* Add entry about py38 support in WIP changelog
* Explicitly declare python versions in setup.py
* Bump Werkzeug to 0.15.6
This is the latest 0.15 version. 0.16 might be incompatible
The fix we are looking for is in [0.15.5](http://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5):
> Fix a TypeError due to changes to ast.Module in Python 3.8.
This addresses CVE-2018-10903:
A flaw was found in python-cryptography versions between >=1.9.0 and
<2.3. The finalize_with_tag API did not enforce a minimum tag
length. If a user did not validate the input length prior to passing
it to finalize_with_tag an attacker could craft an invalid payload
with a shortened tag (e.g. 1 byte) such that they would have a 1 in
256 chance of passing the MAC check. GCM tag forgeries can cause key
leakage.
... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
- "{}".format('foo') does not work on python2.6, as the index needs to be explicitly specified.
- assertIn(x, y) was only introduced in 2.7, reverting to assertTrue(x in y)
Updated test environments definitions and docs accordingly.
With only 3.5, travis-ci works, because 2.7, 3.3 and 3.4 interpreters
are present by default, but it might break randomly at some point.
Definining all the versions explicitly, and using the tox-travis plugin
is more robust.
Also, 2.6 was removed from the "officially supported" python versions,
as the tests are not run (and don't pass).
