[openstack-dev] [nova][glance][barbican][kite][requirements] pycrypto vs pycryptodome

Flavio Percoco flavio at redhat.com
Mon Feb 15 13:06:25 UTC 2016

On 14/02/16 17:16 -0500, Davanum Srinivas wrote:
>Short Story:
>pycryptodome if installed inadvertently will break several projects:
>Example : https://review.openstack.org/#/c/279926/
>Long Story:
>There's a new kid in town pycryptodome:
>Because pycrypto itself has not been maintained for a while:
>So folks like pysaml2 and paramiko are trying to switch over:
>In fact pysaml2===4.0.3 has already switched over. So the requirements
>bot/script has been trying to alert us to this new dependency, you can
>see Nova fail.
>Why does it fail? For example, the new library is strict about getting
>bytes for keys and has dropped some parameters in methods. for
>Another problem, if pycrypto gets installed last then things will
>work, if it pycryptodome gets installed last, things will fail. So we
>definitely cannot allow both in our global-requirements and
>upper-constraints. We can always try to pin stuff, but things will
>fail as there are a lot of jobs that do not honor upper-constraints.
>And things will fail in the field for Mitaka.
>So what can we do? One possibility is to pin requirements and hope for
>the best. Another is to tolerate the install of either pycrypto or
>pycryptodome and test both combinations so we don't have to fight this
>Example for Nova : https://review.openstack.org/#/c/279909/
>Example for Glance : https://review.openstack.org/#/c/280008/

I'm not opposed to this as a short term solution.


>Example for Barbican : https://review.openstack.org/#/c/280014/
>What do you think?
>Davanum Srinivas :: https://twitter.com/dims
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

Flavio Percoco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160215/f928c847/attachment.pgp>

More information about the OpenStack-dev mailing list