Open Stack

I'm aware, iirc it was brought up when pysaml2 had to be fixed due to a
CVE.  This thread is more looking for a long term fix.

On 03/08/2017 01:11 PM, Davanum Srinivas wrote:
> Matthew,
> 
> Please see the last time i took inventory:
> https://review.openstack.org/#/q/pycryptodome+owner:dims-v
> 
> Thanks,
> Dims
> 
> On Wed, Mar 8, 2017 at 2:03 PM, Matthew Thode <prometheanfire at gentoo.org> wrote:
>> So, pycrypto upstream is dead and has been for a while, we should look
>> at moving off of it for both bugfix and security reasons.
>>
>> Currently it's used by the following.
>>
>> barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware,
>> kolla, openstack-ansible, and a couple of other smaller places.
>>
>> Development of it was forked into pycryptodome, which is supposed to be
>> a drop in replacement.  The problem is that due to co-installability
>> requirements we can't have half of packages out there using pycrypto and
>> the other half using pycryptodome.  We'd need to hard switch everyone as
>> both packages install into the same namespace.
>>
>> Another alternative would be to use something like cryptography instead,
>> though it is not a drop in replacement, the migration would be able to
>> be done piecemeal.
>>
>> I'd be interested in hearing about migration plans, especially from the
>> affected projects.
>>
>> --
>> Matthew Thode (prometheanfire)
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> 
> 
> 


-- 
Matthew Thode (prometheanfire)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170308/b44eb072/attachment-0001.pgp>