On Tue, 2023-03-07 at 11:19 -0500, Corey Bryant wrote:
Hi All,
As you probably know, recent versions of cryptography have hard dependencies on rust. Are there any community plans to continue supporting a minimum (non-rust) version of cryptography until a specific release?
i tought we had already raised the min above the version that required rust so not that i am aware of. cryptography>=2.7 is our curret stated minium but we have been testing with a much much newwer version for alont time since we do not test miniums anymore https://github.com/openstack/nova/commit/6caedfd97675940eb3cf07e2f019926dae4...
The concern I have downstream in Ubuntu is that we need to continue being compatible with cryptography 3.4.8 through openstack 2024.1. This is because all releases through 2024.1 will be backported to the ubuntu 22.04 cloud archives which will use cryptography 3.4.8. Once we get to 2024.2, we will be backporting to 24.04 cloud archives, which will have the new rust-based versions of cryptography.
The current upper-constraint for cryptography is 38.0.2, but the various requirements.txt min versions are much lower (e.g. keystone has cryptography>=2.7). This is likely to lead to patches landing with features that are only in 38.0.2, so it will likely be difficult to enforce min version support. But perhaps a stance toward maintaining compatibility could be established.
https://github.com/openstack/governance/blob/584e06b0c186d4355d1d51f2d6df96e... we decided to "Drop Lower Constraints Maintenance" relitivly recently while we have pti guidance for some lanagues rust is not one of them https://github.com/openstack/governance/tree/584e06b0c186d4355d1d51f2d6df96e... and its also not part of the tested runtims https://github.com/openstack/governance/blob/master/reference/runtimes/2023.... so i would proably try to avoid makign any commitment to continuting to supprot non rust based pycryptography release
Thoughts?
Corey