[openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Jeremy Stanley fungi at yuggoth.org
Sun Nov 6 14:59:03 UTC 2016

On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:
> Currently Kolla uses pycrypto in our requirements.  I see a lot of
> big tent projects moving to cryptography.  Is this just my
> imagination, or was there a decision on this from the requirements
> team?  We are happy to comply with whatever dep management is
> considered appropriate for OpenStack ESPECIALLY as it relates to
> security and crypto libraries.

The only "decision" I'm aware of from the requirements reviewers
(long before it was an official team) was ~2.5 years ago when
cryptography was introduced into global requirements by developers
wishing to use it in Barbican: https://review.openstack.org/93794

Keystone seems to have added it into their own requirements soon
thereafter, a little over 2 years ago, for access to fernet
primitives to use in their lightweight token implementation:

Nova introduced it roughly 1.5 years ago to replace some hacky
callouts to the openssl command-line utility in a number of
functions: https://review.openstack.org/198246

I'm sure I could find more examples, but this demonstrates there's
been a gradual uptake in the library in key parts of OpenStack over
the course of years. Is there a particular recent addition of it in
some project which took you by surprise?

> I’d just like confirmation if we should move off pycrypto to
> cryptography, or if these two things offer similar functionality,
> or if I’m way off base here ☺.

They both seem to be pretty solid and widely used, even though
cryptography has much more recent origins and so is still seeing a
lot more active development. This LWN article, ironically, describes
the events leading to its origins and covering reasons why it's
somewhat aligned with OpenStack-specific use cases:

> An orthogonal question I have received from one of our community
> members (Pavo on irc) is whether pycrypto (or if we move to
> cryptography) provide FIPS-140-2 compliance.

My understanding is that if you need, for example, a FIPS-compliant
AES implementation under the hood, then this is dependent more on
what backend libraries you're using... e.g.,
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161106/cb346ce3/attachment.pgp>

More information about the OpenStack-dev mailing list