[openstack-dev] [requirements] pycrypto is dead, long live pycryptodome... or cryptography...

Amrith Kumar amrith.kumar at gmail.com
Wed Mar 8 23:38:08 UTC 2017


Sounds like a good candidate for a cross-project release goal.

A non-controversial situation, the work is a no-op for most, a specific
deliverable for a few, and a mechanism to close the loop and make sure it
gets done in a specific timeframe?

Thanks for surfacing it Matthew.

-amrith

-----Original Message-----
From: Davanum Srinivas [mailto:davanum at gmail.com] 
Sent: Wednesday, March 8, 2017 2:30 PM
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [requirements] pycrypto is dead, long live
pycryptodome... or cryptography...

Ack thanks Matthew!

On Wed, Mar 8, 2017 at 2:24 PM, Matthew Thode <prometheanfire at gentoo.org>
wrote:
> I'm aware, iirc it was brought up when pysaml2 had to be fixed due to 
> a CVE.  This thread is more looking for a long term fix.
>
> On 03/08/2017 01:11 PM, Davanum Srinivas wrote:
>> Matthew,
>>
>> Please see the last time i took inventory:
>> https://review.openstack.org/#/q/pycryptodome+owner:dims-v
>>
>> Thanks,
>> Dims
>>
>> On Wed, Mar 8, 2017 at 2:03 PM, Matthew Thode <prometheanfire at gentoo.org>
wrote:
>>> So, pycrypto upstream is dead and has been for a while, we should 
>>> look at moving off of it for both bugfix and security reasons.
>>>
>>> Currently it's used by the following.
>>>
>>> barbican, cinder, trove, glance, heat, keystoneauth, 
>>> keystonemiddleware, kolla, openstack-ansible, and a couple of other
smaller places.
>>>
>>> Development of it was forked into pycryptodome, which is supposed to 
>>> be a drop in replacement.  The problem is that due to 
>>> co-installability requirements we can't have half of packages out 
>>> there using pycrypto and the other half using pycryptodome.  We'd 
>>> need to hard switch everyone as both packages install into the same
namespace.
>>>
>>> Another alternative would be to use something like cryptography 
>>> instead, though it is not a drop in replacement, the migration would 
>>> be able to be done piecemeal.
>>>
>>> I'd be interested in hearing about migration plans, especially from 
>>> the affected projects.
>>>
>>> --
>>> Matthew Thode (prometheanfire)
>>>
>>>
>>> ____________________________________________________________________
>>> ______ OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: 
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>
>
>
> --
> Matthew Thode (prometheanfire)
>
>
> ______________________________________________________________________
> ____ OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



--
Davanum Srinivas :: https://twitter.com/dims

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list