Open Stack

-----Original Message-----
From: Ian Cordasco <sigmavirus24 at gmail.com>
Reply: Ian Cordasco <sigmavirus24 at gmail.com>
Date: January 11, 2017 at 11:09:11
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] updating to pycryptome from pycrypto

> -----Original Message-----
> From: Matthew Thode
> Reply: prometheanfire at gentoo.org , OpenStack Development
> Mailing List (not for usage questions)
> Date: January 11, 2017 at 04:53:41
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: [openstack-dev] updating to pycryptome from pycrypto
>
> > So, pycrypto decided to rename themselves a while ago. At the same time
> > they did an ABI change. This is causing projects that dep on them to
> > have to handle both at the same time. While some projects have
> > migrated, most have not.
> >
> > A problem has come up where a project has a CVE (pysaml2) and the fix is
> > only in versions after they changed to pycryptome. This means that in
> > order to consume the fix in a python-native way all the pycrypto
> > dependency would need to be updated to pycryptome in all projects in the
> > same namespace that pysaml2 is installed.
> >
> > Possible solutions:
> >
> > update everything to pycryptome
> > * would be the best going forward
> > * a ton of work very late in the cycle
> >
> > have upstream pysaml2 release a fix based on the code before the change
> > * less work
> > * should still circle around and update the world in pike
> > * 4.0.2 was the last release 4.0.3 was the change
> > * would necessitate a 4.0.2.1 release
> > * tag was removed, can hopefully be recovered for checkout/branch
> >
> >
> > Here's the upstream bug to browse at your leisure :)
> >
> > https://github.com/rohe/pysaml2/issues/366
>
> I don't think pycrypto actually willfully renamed itself. [1] As I understand it, pycryptome
> is a fork of pycrypto made after pycrypto decided that they wanted to tell people to use
> pyca/cryptography instead. Frankly, given pycrypto's history (and the history that
> pycryptome has probably inherited), I'd suspect that the best effort for those of us
> interested, is to help pysaml2 express the deficits it has with cryptography so it can
> move to a better project. If there are no deficits, then we should focus on helping pysaml2
> port to cryptography.
>
>
> [1]: I'm verifying this with some people who know better

So I did verify that there are *several* hostile forks of PyCrypto.
That said, the work to move pysaml2 to cryptography has been finished:
https://github.com/rohe/pysaml2/pull/385

I'd ask OpenStackers to not start a brigade of +1s on the thread, but
if y'all want to watch it and help convince the maintainer (*if* they
need convincing) to merge this, that would be appreciated.

Cheers,
--
Ian Cordasco