[openstack-dev] updating to pycryptome from pycrypto

Matthew Thode prometheanfire at gentoo.org
Wed Jan 11 10:51:04 UTC 2017


So, pycrypto decided to rename themselves a while ago.  At the same time
they did an ABI change.  This is causing projects that dep on them to
have to handle both at the same time.  While some projects have
migrated, most have not.

A problem has come up where a project has a CVE (pysaml2) and the fix is
only in versions after they changed to pycryptome.  This means that in
order to consume the fix in a python-native way all the pycrypto
dependency would need to be updated to pycryptome in all projects in the
same namespace that pysaml2 is installed.

Possible solutions:

update everything to pycryptome
  * would be the best going forward
  * a ton of work very late in the cycle

have upstream pysaml2 release a fix based on the code before the change
  * less work
  * should still circle around and update the world in pike
  * 4.0.2 was the last release 4.0.3 was the change
    * would necessitate a 4.0.2.1 release
    * tag was removed, can hopefully be recovered for checkout/branch


Here's the upstream bug to browse at your leisure :)

https://github.com/rohe/pysaml2/issues/366

-- 
Matthew Thode (prometheanfire)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170111/5d4be0bc/attachment.pgp>


More information about the OpenStack-dev mailing list