[openstack-dev] [requirements] pycrypto is dead, long live pycryptodome... or cryptography...

Lance Bragstad lbragstad at gmail.com
Wed Mar 29 15:41:06 UTC 2017


With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and
Morgan!), I did some poking at the usage in keystonemiddleware [1].

The usage is built into auth_token middleware for encrypting and decrypting
things stored in cache [2], but it is conditional based on configuration
[3] and whether or not pycrypto is installed [4]. The encryption of things
before caching them is disabled by default.

We've also had several discussions about moving keystonemiddleware to using
oslo.cache instead of it's own caching implementation [5] for py3 reasons.
If we're going to invest time into making that switch, grouping the switch
from pycrypto to pyca/cryptography doesn't sound unreasonable.

Any thoughts on this from a keystone perspective? I can try and work them
into a spec proposal for keystonemiddleware since I'll be proposing one for
the oslo.cache switch [6].

[0] https://review.openstack.org/#/c/443318/
[1]
https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/test-requirements.txt#L12
[2]
https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_memcache_crypt.py#L19-L21
[3]
https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_opts.py#L109-L122
[4]
https://github.com/openstack/keystonemiddleware/blob/a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/auth_token/_memcache_crypt.py#L42-L46
[5]
http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-03-21-18.00.log.html#l-136
[6]
http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-03-21-18.00.log.html#l-149

On Wed, Mar 29, 2017 at 9:56 AM, Brian Rosmaita <rosmaita.fossdev at gmail.com>
wrote:

> On 3/8/17 2:03 PM, Matthew Thode wrote:
> > So, pycrypto upstream is dead and has been for a while, we should look
> > at moving off of it for both bugfix and security reasons.
> >
> > Currently it's used by the following.
> >
> > barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware,
> > kolla, openstack-ansible, and a couple of other smaller places.
>
> [snip]
>
> > I'd be interested in hearing about migration plans, especially from the
> > affected projects.
>
> Glance report:
> - pycrypto isn't used in glance_store or python-glanceclient
> - Glance already uses cryptography for image-signature verification, so
> our path will be to migrate from pycrypto -> cryptography
> - I've got a patch up for this: https://review.openstack.org/#/c/449401/
>
> cheers,
> brian
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170329/0d4cb4be/attachment.html>


More information about the OpenStack-dev mailing list