[openstack-dev] [requirements] pycrypto is dead, long live pycryptodome... or cryptography...

Lance Bragstad lbragstad at gmail.com
Wed Mar 29 15:41:06 UTC 2017

With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and
Morgan!), I did some poking at the usage in keystonemiddleware [1].

The usage is built into auth_token middleware for encrypting and decrypting
things stored in cache [2], but it is conditional based on configuration
[3] and whether or not pycrypto is installed [4]. The encryption of things
before caching them is disabled by default.

We've also had several discussions about moving keystonemiddleware to using
oslo.cache instead of it's own caching implementation [5] for py3 reasons.
If we're going to invest time into making that switch, grouping the switch
from pycrypto to pyca/cryptography doesn't sound unreasonable.

Any thoughts on this from a keystone perspective? I can try and work them
into a spec proposal for keystonemiddleware since I'll be proposing one for
the oslo.cache switch [6].

[0] https://review.openstack.org/#/c/443318/

On Wed, Mar 29, 2017 at 9:56 AM, Brian Rosmaita <rosmaita.fossdev at gmail.com>

> On 3/8/17 2:03 PM, Matthew Thode wrote:
> > So, pycrypto upstream is dead and has been for a while, we should look
> > at moving off of it for both bugfix and security reasons.
> >
> > Currently it's used by the following.
> >
> > barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware,
> > kolla, openstack-ansible, and a couple of other smaller places.
> [snip]
> > I'd be interested in hearing about migration plans, especially from the
> > affected projects.
> Glance report:
> - pycrypto isn't used in glance_store or python-glanceclient
> - Glance already uses cryptography for image-signature verification, so
> our path will be to migrate from pycrypto -> cryptography
> - I've got a patch up for this: https://review.openstack.org/#/c/449401/
> cheers,
> brian
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170329/0d4cb4be/attachment.html>

More information about the OpenStack-dev mailing list