[openstack-dev] [requirements][kolla][security][trove] pycrypto vs cryptography

Steven Dake (stdake) stdake at cisco.com
Sun Nov 6 16:36:19 UTC 2016


Jeremy,

A+ thanks for the lengthy and thorough response.  I guess the answer is it doesn’t matter for now ☺  I’ll have to read that LWN article shortly.

As to your question of something taking me by surprise, not really, we adapt to our upstreams, not expect them to adapt to us, it was more a curiosity thing (since we want Kolla to be very secure).

Regards,
-steve


From: Jeremy Stanley <fungi at yuggoth.org>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
Date: Sunday, November 6, 2016 at 7:59 AM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:
Currently Kolla uses pycrypto in our requirements.  I see a lot of
big tent projects moving to cryptography.  Is this just my
imagination, or was there a decision on this from the requirements
team?  We are happy to comply with whatever dep management is
considered appropriate for OpenStack ESPECIALLY as it relates to
security and crypto libraries.

The only "decision" I'm aware of from the requirements reviewers
(long before it was an official team) was ~2.5 years ago when
cryptography was introduced into global requirements by developers
wishing to use it in Barbican: https://review.openstack.org/93794

Keystone seems to have added it into their own requirements soon
thereafter, a little over 2 years ago, for access to fernet
primitives to use in their lightweight token implementation:
https://review.openstack.org/145317

Nova introduced it roughly 1.5 years ago to replace some hacky
callouts to the openssl command-line utility in a number of
functions: https://review.openstack.org/198246

I'm sure I could find more examples, but this demonstrates there's
been a gradual uptake in the library in key parts of OpenStack over
the course of years. Is there a particular recent addition of it in
some project which took you by surprise?

I’d just like confirmation if we should move off pycrypto to
cryptography, or if these two things offer similar functionality,
or if I’m way off base here ☺.

They both seem to be pretty solid and widely used, even though
cryptography has much more recent origins and so is still seeing a
lot more active development. This LWN article, ironically, describes
the events leading to its origins and covering reasons why it's
somewhat aligned with OpenStack-specific use cases:
https://lwn.net/Articles/595790/

An orthogonal question I have received from one of our community
members (Pavo on irc) is whether pycrypto (or if we move to
cryptography) provide FIPS-140-2 compliance.

My understanding is that if you need, for example, a FIPS-compliant
AES implementation under the hood, then this is dependent more on
what backend libraries you're using... e.g.,
https://www.openssl.org/docs/fips.html
https://www.openssl.org/docs/fipsvalidation.html
--
Jeremy Stanley

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161106/d2a6bc84/attachment.html>


More information about the OpenStack-dev mailing list