[openstack-dev] [requirements][barbican][daisycloud][freezer][fuel][heat][pyghmi][rpm-packaging][solum][tatu][trove] pycrypto is dead and insecure, you should migrate
Matthew Thode
prometheanfire at gentoo.org
Tue May 15 17:05:39 UTC 2018
On 18-05-15 12:25:04, Zane Bitter wrote:
> On 13/05/18 13:22, Matthew Thode wrote:
> > This is a reminder to the projects called out that they are using old,
> > unmaintained and probably insecure libraries (it's been dead since
> > 2014). Please migrate off to use the cryptography library. We'd like
> > to drop pycrypto from requirements for rocky.
> >
> > See also, the bug, which has most of you cc'd already.
> >
> > https://bugs.launchpad.net/openstack-requirements/+bug/1749574
> >
> > +----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
> > | Repository | Filename | Line | Text |
> > +----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
> > | barbican | requirements.txt | 25 | pycrypto>=2.6 # Public Domain |
> > | daisycloud-core | code/daisy/requirements.txt | 17 | pycrypto>=2.6 # Public Domain |
> > | freezer | requirements.txt | 21 | pycrypto>=2.6 # Public Domain |
> > | fuel-web | nailgun/requirements.txt | 24 | pycrypto>=2.6.1 |
> > | heat-cfnclient | requirements.txt | 2 | PyCrypto>=2.1.0 |
>
> AFAICT heat-cfnclient isn't actually using PyCrypto, even though it's listed
> in requirements.txt. The whole project is just a light wrapper around
> python-boto (though this wasn't always the case IIRC), so I suspect it's
> just relying on boto for all of the auth stuff.
>
Thanks for the notice, submitted a review to remove it.
https://review.openstack.org/568646
> > | pyghmi | requirements.txt | 1 | pycrypto>=2.6 |
> > | rpm-packaging | requirements.txt | 189 | pycrypto>=2.6 # Public Domain |
> > | solum | requirements.txt | 24 | pycrypto>=2.6 # Public Domain |
> > | tatu | requirements.txt | 7 | pycrypto>=2.6.1 |
> > | tatu | test-requirements.txt | 7 | pycrypto>=2.6.1 |
> > | trove | integration/scripts/files/requirements/fedora-requirements.txt | 30 | pycrypto>=2.6 # Public Domain |
> > | trove | integration/scripts/files/requirements/ubuntu-requirements.txt | 29 | pycrypto>=2.6 # Public Domain |
> > | trove | requirements.txt | 47 | pycrypto>=2.6 # Public Domain |
> > +----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
> >
> >
> >
> > __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Matthew Thode (prometheanfire)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180515/32944da5/attachment.sig>
More information about the OpenStack-dev
mailing list