[openstack-dev] [requirements][daisycloud][freezer][fuel][solum][tatu][trove] pycrypto is dead and insecure, you should migrate part 2

Shake Chen shake.chen at gmail.com
Mon Jun 11 05:25:19 UTC 2018


These project seem dies.

On Mon, Jun 11, 2018 at 5:48 AM, Matthew Thode <prometheanfire at gentoo.org>
wrote:

> On 18-06-04 14:06:24, Matthew Thode wrote:
> > On 18-05-13 12:22:06, Matthew Thode wrote:
> > > This is a reminder to the projects called out that they are using old,
> > > unmaintained and probably insecure libraries (it's been dead since
> > > 2014).  Please migrate off to use the cryptography library.  We'd like
> > > to drop pycrypto from requirements for rocky.
> > >
> > > See also, the bug, which has most of you cc'd already.
> > >
> > > https://bugs.launchpad.net/openstack-requirements/+bug/1749574
> > >
> >
> > +----------------------------------------+------------------
> ---------------------------------------------------+------+-
> --------------------------------------------------+
> > | Repository                             | Filename
>                                       | Line | Text
>                       |
> > +----------------------------------------+------------------
> ---------------------------------------------------+------+-
> --------------------------------------------------+
> > | daisycloud-core                        | code/daisy/requirements.txt
>                                        |   17 | pycrypto>=2.6 # Public
> Domain                     |
> > | freezer                                | requirements.txt
>                                       |   21 | pycrypto>=2.6 # Public
> Domain                     |
> > | fuel-dev-tools                         | contrib/fuel-setup/requirements.txt
>                                |    5 | pycrypto==2.6.1
>                |
> > | fuel-web                               | nailgun/requirements.txt
>                                       |   24 | pycrypto>=2.6.1
>                      |
> > | solum                                  | requirements.txt
>                                       |   24 | pycrypto # Public Domain
>                       |
> > | tatu                                   | requirements.txt
>                                       |    7 | pycrypto>=2.6.1
>                      |
> > | tatu                                   | test-requirements.txt
>                                        |    7 | pycrypto>=2.6.1
>                        |
> > | trove                                  | integration/scripts/files/
> requirements/fedora-requirements.txt      |   30 | pycrypto>=2.6  #
> Public Domain                    |
> > | trove                                  | integration/scripts/files/
> requirements/ubuntu-requirements.txt      |   29 | pycrypto>=2.6  #
> Public Domain                    |
> > | trove                                  | requirements.txt
>                                       |   47 | pycrypto>=2.6 # Public
> Domain                     |
> > +----------------------------------------+------------------
> ---------------------------------------------------+------+-
> --------------------------------------------------+
> >
> > In order by name, notes follow.
> >
> > daisycloud-core - looks like AES / random functions are used
> > freezer         - looks like AES / random functions are used
> > solum           - looks like AES / RSA functions are used
> > trove           - has a review!!! https://review.openstack.org/#
> /c/560292/
> >
> > The following projects are not tracked so we won't wait on them.
> > fuel-dev-tools, fuel-web, tatu
> >
> > so it looks like progress is being made, so we have that going for us,
> > which is nice.  What can I do to help move this forward?
> >
>
> It does not look like the projects (other than trove) are moving forward
> on this.
>
> --
> Matthew Thode (prometheanfire)
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Shake Chen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180611/0da1539e/attachment.html>


More information about the OpenStack-dev mailing list