[openstack-dev] [requirements][daisycloud][freezer][fuel][solum][tatu][trove] pycrypto is dead and insecure, you should migrate part 2

Matthew Thode prometheanfire at gentoo.org
Sun Jun 10 21:48:51 UTC 2018


On 18-06-04 14:06:24, Matthew Thode wrote:
> On 18-05-13 12:22:06, Matthew Thode wrote:
> > This is a reminder to the projects called out that they are using old,
> > unmaintained and probably insecure libraries (it's been dead since
> > 2014).  Please migrate off to use the cryptography library.  We'd like
> > to drop pycrypto from requirements for rocky.
> > 
> > See also, the bug, which has most of you cc'd already.
> > 
> > https://bugs.launchpad.net/openstack-requirements/+bug/1749574
> > 
> 
> +----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
> | Repository                             | Filename                                                            | Line | Text                                              |
> +----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
> | daisycloud-core                        | code/daisy/requirements.txt                                         |   17 | pycrypto>=2.6 # Public Domain                     |
> | freezer                                | requirements.txt                                                    |   21 | pycrypto>=2.6 # Public Domain                     |
> | fuel-dev-tools                         | contrib/fuel-setup/requirements.txt                                 |    5 | pycrypto==2.6.1                                   |
> | fuel-web                               | nailgun/requirements.txt                                            |   24 | pycrypto>=2.6.1                                   |
> | solum                                  | requirements.txt                                                    |   24 | pycrypto # Public Domain                          |
> | tatu                                   | requirements.txt                                                    |    7 | pycrypto>=2.6.1                                   |
> | tatu                                   | test-requirements.txt                                               |    7 | pycrypto>=2.6.1                                   |
> | trove                                  | integration/scripts/files/requirements/fedora-requirements.txt      |   30 | pycrypto>=2.6  # Public Domain                    |
> | trove                                  | integration/scripts/files/requirements/ubuntu-requirements.txt      |   29 | pycrypto>=2.6  # Public Domain                    |
> | trove                                  | requirements.txt                                                    |   47 | pycrypto>=2.6 # Public Domain                     |
> +----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
> 
> In order by name, notes follow.
> 
> daisycloud-core - looks like AES / random functions are used
> freezer         - looks like AES / random functions are used
> solum           - looks like AES / RSA functions are used
> trove           - has a review!!! https://review.openstack.org/#/c/560292/
> 
> The following projects are not tracked so we won't wait on them.
> fuel-dev-tools, fuel-web, tatu
> 
> so it looks like progress is being made, so we have that going for us,
> which is nice.  What can I do to help move this forward?
> 

It does not look like the projects (other than trove) are moving forward
on this.

-- 
Matthew Thode (prometheanfire)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180610/9a5cff31/attachment.sig>


More information about the OpenStack-dev mailing list