python3Packages.pyaes: raise on default IV

[mweinelt]

ricmoo/pyaes#56
https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

[mweinelt]

Hm, there are some consumers who explicitly provide an IV, so maybe the best thing we can do is provide a patch that raises instead of using a default IV. But using a default IV can also be safe if you don't reuse it.

[rugk]

But using a default IV can also be safe if you don't reuse it.

That's a joke is not it? To hardcode cryptographic values that should be random (or not-reused) was never a good idea. Even if nix would provide a different "default IV" that obviously will be reused by different consumers.

The proper solution indeed is:

the best thing we can do is provide a patch that raises instead of using a default IV.

Just make technicaly sure, consumers can never actually reuse it.

[mweinelt]

Sorry, I meant if the consumer always passes a random IV they are fine, and we don't need to mark the package vulnerable and break them from being cached. These are nixpkgs semantics.

Of course raising is the correct way, I just hadn't gotten back to this yet. Writing that comment was the moment I took a course correction.

[rugk]

Okay, also what about at least trying to contribute that patch upstream?

[mweinelt]

Okay, also what about at least trying to contribute that patch upstream?

ricmoo/pyaes#57

[mweinelt]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 491877
Commit: 5ba1e251c913e1e7101ac246b53a6feb3787bf24

---

x86_64-linux

⏩ 22 packages marked as broken and skipped:

• electron-cash
• electron-cash.dist
• electrum-grs
• electrum-grs.dist
• electrum-ltc
• electrum-ltc.dist
• hwi
• hwi.dist
• mautrix-telegram
• mautrix-telegram.dist
• python313Packages.ckcc-protocol
• python313Packages.ckcc-protocol.dist
• python313Packages.hwi
• python313Packages.hwi.dist
• python313Packages.pysatochip
• python313Packages.pysatochip.dist
• python314Packages.ckcc-protocol
• python314Packages.ckcc-protocol.dist
• python314Packages.hwi
• python314Packages.hwi.dist
• python314Packages.pysatochip
• python314Packages.pysatochip.dist

❌ 17 packages failed to build:

• blockstream-electrs
• localstack
• localstack.dist
• python313Packages.localstack-ext
• python313Packages.localstack-ext.dist
• python313Packages.telethon
• python313Packages.telethon.dist
• python314Packages.localstack-ext
• python314Packages.localstack-ext.dist
• python314Packages.pyrogram
• python314Packages.pyrogram.dist
• python314Packages.telethon
• python314Packages.telethon.dist
• tg-archive
• tg-archive.dist
• tgeraser
• tgeraser.dist

✅ 48 packages built:

• audible-cli
• audible-cli.dist
• electrum
• electrum.dist
• high-tide
• mopidy-tidal (mopidyPackages.mopidy-tidal)
• mopidy-tidal.dist (mopidyPackages.mopidy-tidal.dist)
• mtprotoproxy
• myfitnesspal (python313Packages.myfitnesspal)
• myfitnesspal.dist (python313Packages.myfitnesspal.dist)
• python313Packages.audible
• python313Packages.audible.dist
• python313Packages.browser-cookie3
• python313Packages.browser-cookie3.dist
• python313Packages.crownstone-core
• python313Packages.crownstone-core.dist
• python313Packages.crownstone-uart
• python313Packages.crownstone-uart.dist
• python313Packages.hydrogram
• python313Packages.hydrogram.dist
• python313Packages.pyaes
• python313Packages.pyaes.dist
• python313Packages.pyrogram
• python313Packages.pyrogram.dist
• python313Packages.tidalapi
• python313Packages.tidalapi.dist
• python314Packages.audible
• python314Packages.audible.dist
• python314Packages.browser-cookie3
• python314Packages.browser-cookie3.dist
• python314Packages.crownstone-core
• python314Packages.crownstone-core.dist
• python314Packages.crownstone-uart
• python314Packages.crownstone-uart.dist
• python314Packages.hydrogram
• python314Packages.hydrogram.dist
• python314Packages.myfitnesspal
• python314Packages.myfitnesspal.dist
• python314Packages.pyaes
• python314Packages.pyaes.dist
• python314Packages.tidalapi
• python314Packages.tidalapi.dist
• tauon
• tauon.dist
• tests.home-assistant-component-tests.crownstone
• wapiti
• wapiti.dist
• zeronet-conservancy

---

Error logs: `x86_64-linux`

blockstream-electrs

  1.51 | I | daemon.Daemon | stopped
test test_electrum ... FAILED
failures:
---- test_electrum stdout ----
thread 'test_electrum' (11842) panicked at tests/electrum.rs:46:13:

assertion left == right failed

left: None

right: Some("0.1")

note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
failures:

test_electrum
test result: FAILED. 0 passed; 1 failed; 0 ignored; 0 measured; 0 filtered out; finished in 16.89s
error: test failed, to rerun pass --test electrum

python313Packages.telethon

Using pythonRuntimeDepsCheckHook
Sourcing pypa-install-hook
Using pypaInstallPhase
Sourcing python-imports-check-hook.sh
Using pythonImportsCheckPhase
Sourcing python-namespaces-hook
Sourcing python-catch-conflicts-hook.sh
Sourcing pytest-check-hook
Using pytestCheckPhase
Running phase: unpackPhase
unpacking source archive /nix/store/g1jlrv78xn1sgamzlm2aq9jm3n261455-source
source root is source
setting SOURCE_DATE_EPOCH to timestamp 315619200 of file "source/update-docs.sh"
Running phase: patchPhase
applying patch /nix/store/rk85kikh9rikv50r0w1ma47afszs7ka1-fix_async_test.patch
patching file tests/telethon/test_helpers.py
Reversed (or previously applied) patch detected!  Assume -R? [n] 
Apply anyway? [n] 
Skipping patch.
3 out of 3 hunks ignored -- saving rejects to file tests/telethon/test_helpers.py.rej

python314Packages.pyrogram

  File "<frozen importlib._bootstrap>", line 1398, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1371, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1342, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 938, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 759, in exec_module
  File "<frozen importlib._bootstrap>", line 491, in _call_with_frames_removed
  File "/nix/store/afyw46hr4gnlvj1k60ljr9ld3v9nb5wi-python3.14-pyrogram-2.0.106/lib/python3.14/site-packages/pyrogram/__init__.py", line 40, in <module>
    from .sync import idle, compose
  File "/nix/store/afyw46hr4gnlvj1k60ljr9ld3v9nb5wi-python3.14-pyrogram-2.0.106/lib/python3.14/site-packages/pyrogram/sync.py", line 99, in <module>
    wrap(Methods)
    ~~~~^^^^^^^^^
  File "/nix/store/afyw46hr4gnlvj1k60ljr9ld3v9nb5wi-python3.14-pyrogram-2.0.106/lib/python3.14/site-packages/pyrogram/sync.py", line 95, in wrap
    async_to_sync(source, name)
    ~~~~~~~~~~~~~^^^^^^^^^^^^^^
  File "/nix/store/afyw46hr4gnlvj1k60ljr9ld3v9nb5wi-python3.14-pyrogram-2.0.106/lib/python3.14/site-packages/pyrogram/sync.py", line 31, in async_to_sync
    main_loop = asyncio.get_event_loop()
  File "/nix/store/8gnchv834z56s561v3sx2h0ra1a2xn46-python3-3.14.3/lib/python3.14/asyncio/events.py", line 715, in get_event_loop
    raise RuntimeError('There is no current event loop in thread %r.'
                       % threading.current_thread().name)
RuntimeError: There is no current event loop in thread 'MainThread'.

[nixpkgs-ci]

Successfully created backport PR for release-25.11:

• [Backport release-25.11] python3Packages.pyaes: raise on default IV #495815