[openstack-dev] [requirements] pycrypto is dead, long live pycryptodome... or cryptography...

Lance Bragstad lbragstad at gmail.com
Wed Mar 29 16:09:51 UTC 2017


Actually - in lieu of writing specs for this work, we already have a
keystonemiddleware bug open for moving to oslo.cache [0].

I've opened another bug for moving to supported crypto library [1].

[0] https://bugs.launchpad.net/keystonemiddleware/+bug/1523375
[1] https://bugs.launchpad.net/keystonemiddleware/+bug/1677308

On Wed, Mar 29, 2017 at 10:41 AM, Lance Bragstad <lbragstad at gmail.com>
wrote:

> With pycrypto removed from keystoneauth [0] (thanks Brant, Monty, and
> Morgan!), I did some poking at the usage in keystonemiddleware [1].
>
> The usage is built into auth_token middleware for encrypting and
> decrypting things stored in cache [2], but it is conditional based on
> configuration [3] and whether or not pycrypto is installed [4]. The
> encryption of things before caching them is disabled by default.
>
> We've also had several discussions about moving keystonemiddleware to
> using oslo.cache instead of it's own caching implementation [5] for py3
> reasons. If we're going to invest time into making that switch, grouping
> the switch from pycrypto to pyca/cryptography doesn't sound unreasonable.
>
> Any thoughts on this from a keystone perspective? I can try and work them
> into a spec proposal for keystonemiddleware since I'll be proposing one for
> the oslo.cache switch [6].
>
> [0] https://review.openstack.org/#/c/443318/
> [1] https://github.com/openstack/keystonemiddleware/blob/
> a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/test-requirements.txt#L12
> [2] https://github.com/openstack/keystonemiddleware/blob/
> a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/
> auth_token/_memcache_crypt.py#L19-L21
> [3] https://github.com/openstack/keystonemiddleware/blob/
> a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/
> auth_token/_opts.py#L109-L122
> [4] https://github.com/openstack/keystonemiddleware/blob/
> a2e3d60644aadb4ecb3d49dadbcd5d4c1dec2176/keystonemiddleware/
> auth_token/_memcache_crypt.py#L42-L46
> [5] http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-
> 03-21-18.00.log.html#l-136
> [6] http://eavesdrop.openstack.org/meetings/keystone/2017/keystone.2017-
> 03-21-18.00.log.html#l-149
>
> On Wed, Mar 29, 2017 at 9:56 AM, Brian Rosmaita <
> rosmaita.fossdev at gmail.com> wrote:
>
>> On 3/8/17 2:03 PM, Matthew Thode wrote:
>> > So, pycrypto upstream is dead and has been for a while, we should look
>> > at moving off of it for both bugfix and security reasons.
>> >
>> > Currently it's used by the following.
>> >
>> > barbican, cinder, trove, glance, heat, keystoneauth, keystonemiddleware,
>> > kolla, openstack-ansible, and a couple of other smaller places.
>>
>> [snip]
>>
>> > I'd be interested in hearing about migration plans, especially from the
>> > affected projects.
>>
>> Glance report:
>> - pycrypto isn't used in glance_store or python-glanceclient
>> - Glance already uses cryptography for image-signature verification, so
>> our path will be to migrate from pycrypto -> cryptography
>> - I've got a patch up for this: https://review.openstack.org/#/c/449401/
>>
>> cheers,
>> brian
>>
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170329/713b7dd9/attachment.html>


More information about the OpenStack-dev mailing list