[openstack-dev] [requirements] pycrypto is dead, long live pycryptodome... or cryptography...

Matthew Thode prometheanfire at gentoo.org
Wed Mar 8 19:03:58 UTC 2017

So, pycrypto upstream is dead and has been for a while, we should look
at moving off of it for both bugfix and security reasons.

Currently it's used by the following.

barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware,
kolla, openstack-ansible, and a couple of other smaller places.

Development of it was forked into pycryptodome, which is supposed to be
a drop in replacement.  The problem is that due to co-installability
requirements we can't have half of packages out there using pycrypto and
the other half using pycryptodome.  We'd need to hard switch everyone as
both packages install into the same namespace.

Another alternative would be to use something like cryptography instead,
though it is not a drop in replacement, the migration would be able to
be done piecemeal.

I'd be interested in hearing about migration plans, especially from the
affected projects.

Matthew Thode (prometheanfire)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170308/60a34707/attachment.pgp>

More information about the OpenStack-dev mailing list