[openstack-dev] [nova][glance][barbican][kite][requirements] pycrypto vs pycryptodome

Robert Collins robertc at robertcollins.net
Tue Feb 16 22:30:44 UTC 2016

I suggest:
 - pin anything that moves
 - start being strict ourselves to prepare for moving
 - work with paramiko to help them move

Sadly Python doesn't have either-or dependencies as yet, so we're
going to be in the position of having to override pip for some time
during the migration process.


On 15 February 2016 at 11:16, Davanum Srinivas <davanum at gmail.com> wrote:
> Hi,
> Short Story:
> pycryptodome if installed inadvertently will break several projects:
> Example : https://review.openstack.org/#/c/279926/
> Long Story:
> There's a new kid in town pycryptodome:
> https://github.com/Legrandin/pycryptodome
> Because pycrypto itself has not been maintained for a while:
> https://github.com/dlitz/pycrypto
> So folks like pysaml2 and paramiko are trying to switch over:
> https://github.com/rohe/pysaml2/commit/0e4f5fa48b1965b269f69bd383bbfbde6b41ac63
> https://github.com/paramiko/paramiko/issues/637
> In fact pysaml2===4.0.3 has already switched over. So the requirements
> bot/script has been trying to alert us to this new dependency, you can
> see Nova fail.
> https://review.openstack.org/#/c/279926/
> Why does it fail? For example, the new library is strict about getting
> bytes for keys and has dropped some parameters in methods. for
> example:
> https://github.com/Legrandin/pycryptodome/blob/master/lib/Crypto/PublicKey/RSA.py#L405
> https://github.com/dlitz/pycrypto/blob/master/lib/Crypto/PublicKey/RSA.py#L499
> Another problem, if pycrypto gets installed last then things will
> work, if it pycryptodome gets installed last, things will fail. So we
> definitely cannot allow both in our global-requirements and
> upper-constraints. We can always try to pin stuff, but things will
> fail as there are a lot of jobs that do not honor upper-constraints.
> And things will fail in the field for Mitaka.
> Action:
> So what can we do? One possibility is to pin requirements and hope for
> the best. Another is to tolerate the install of either pycrypto or
> pycryptodome and test both combinations so we don't have to fight this
> battle.
> Example for Nova : https://review.openstack.org/#/c/279909/
> Example for Glance : https://review.openstack.org/#/c/280008/
> Example for Barbican : https://review.openstack.org/#/c/280014/
> What do you think?
> Thanks,
> Dims
> --
> Davanum Srinivas :: https://twitter.com/dims
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Robert Collins <rbtcollins at hpe.com>
Distinguished Technologist
HP Converged Cloud

More information about the OpenStack-dev mailing list