[openstack-dev] updating to pycryptome from pycrypto

Ian Cordasco sigmavirus24 at gmail.com
Wed Jan 11 17:09:11 UTC 2017 

-----Original Message-----
From: Matthew Thode <prometheanfire at gentoo.org>
Reply: prometheanfire at gentoo.org <prometheanfire at gentoo.org>,
OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Date: January 11, 2017 at 04:53:41
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject:  [openstack-dev] updating to pycryptome from pycrypto

> So, pycrypto decided to rename themselves a while ago. At the same time
> they did an ABI change. This is causing projects that dep on them to
> have to handle both at the same time. While some projects have
> migrated, most have not.
>
> A problem has come up where a project has a CVE (pysaml2) and the fix is
> only in versions after they changed to pycryptome. This means that in
> order to consume the fix in a python-native way all the pycrypto
> dependency would need to be updated to pycryptome in all projects in the
> same namespace that pysaml2 is installed.
>
> Possible solutions:
>
> update everything to pycryptome
> * would be the best going forward
> * a ton of work very late in the cycle
>
> have upstream pysaml2 release a fix based on the code before the change
> * less work
> * should still circle around and update the world in pike
> * 4.0.2 was the last release 4.0.3 was the change
> * would necessitate a 4.0.2.1 release
> * tag was removed, can hopefully be recovered for checkout/branch
>
>
> Here's the upstream bug to browse at your leisure :)
>
> https://github.com/rohe/pysaml2/issues/366

I don't think pycrypto actually willfully renamed itself. [1] As I
understand it, pycryptome is a fork of pycrypto made after pycrypto
decided that they wanted to tell people to use pyca/cryptography
instead. Frankly, given pycrypto's history (and the history that
pycryptome has probably inherited), I'd suspect that the best effort
for those of us interested, is to help pysaml2 express the deficits it
has with cryptography so it can move to a better project. If there are
no deficits, then we should focus on helping pysaml2 port to
cryptography.


[1]: I'm verifying this with some people who know better

Cheers,
--
Ian Cordasco

More information about the OpenStack-dev mailing list