-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I had not previously heard of pycryptodome. Is this supposed to be a drop-in replacement for pycrypto? If so then it sounds like they're doing a terrible job of it.
The plan for Barbican has been to wait for pyca/cryptography [1] to add support for the apis we needed to be able to drop our pycrypto dependency. I'll have to double check the latest pyca/cryptography notes, but I do believe it's at a point now where it can be used in Barbican to replace pycrypto. This would be the preferred fix for us. AFAIK the paramiko folks were going to adopt pyca/cryptography as well, so it appears that pycryptodome support will not be merged there either. [2] Additionaly, bespoke pure-python cryptography gives me the heebie jeebies, so I would strongly recommend to move all cryptographic work to use pyca/cryptography instead of pycryptodome. - - Douglas Mendizábal [1] https://cryptography.io/en/latest/ [2] https://github.com/paramiko/paramiko/pull/646 On 2/15/16 6:44 AM, Haïkel wrote: > 2016-02-14 23:16 GMT+01:00 Davanum Srinivas <dava...@gmail.com>: >> Hi, >> >> Short Story: pycryptodome if installed inadvertently will break >> several projects: Example : >> https://review.openstack.org/#/c/279926/ >> >> Long Story: There's a new kid in town pycryptodome: >> https://github.com/Legrandin/pycryptodome >> >> Because pycrypto itself has not been maintained for a while: >> https://github.com/dlitz/pycrypto >> >> So folks like pysaml2 and paramiko are trying to switch over: >> https://github.com/rohe/pysaml2/commit/0e4f5fa48b1965b269f69bd383bbfb de6b41ac63 >> >> >> >> https://github.com/paramiko/paramiko/issues/637 >> >> In fact pysaml2===4.0.3 has already switched over. So the >> requirements bot/script has been trying to alert us to this new >> dependency, you can see Nova fail. >> https://review.openstack.org/#/c/279926/ >> >> Why does it fail? For example, the new library is strict about >> getting bytes for keys and has dropped some parameters in >> methods. for example: >> https://github.com/Legrandin/pycryptodome/blob/master/lib/Crypto/Publ icKey/RSA.py#L405 >> >> >> >> https://github.com/dlitz/pycrypto/blob/master/lib/Crypto/PublicKey/RSA.p y#L499 >> >> Another problem, if pycrypto gets installed last then things >> will work, if it pycryptodome gets installed last, things will >> fail. So we definitely cannot allow both in our >> global-requirements and upper-constraints. We can always try to >> pin stuff, but things will fail as there are a lot of jobs that >> do not honor upper-constraints. And things will fail in the field >> for Mitaka. >> >> Action: So what can we do? One possibility is to pin requirements >> and hope for the best. Another is to tolerate the install of >> either pycrypto or pycryptodome and test both combinations so we >> don't have to fight this battle. >> >> Example for Nova : https://review.openstack.org/#/c/279909/ >> Example for Glance : https://review.openstack.org/#/c/280008/ >> Example for Barbican : https://review.openstack.org/#/c/280014/ >> >> What do you think? >> >> Thanks, Dims >> > > This is annoying from a packaging PoV. > > We have dependencies relying on pycrypto (e.g oauthlib used by > keystone, paramiko by even more projects), and we can't control > the order of installation. My 2 cts will be to favor the latter > solution and test both combinations until N or O releases (and then > get rid of pycrypto definitively), so we can handle this > gracefully. > > > Regards, H. > > ______________________________________________________________________ ____ > > > > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWwhehAAoJEB7Z2EQgmLX7ZvwP/1a4vWgVeryvJGXNP/O5aoml hvlvJCcJrW0vyRfycQBN4nNSVZLrhjxy+5XIW86/OjfDVnSci2hdI+zKwoGpSrDM NEi80j6ll31QLBQMDVlNvwv/5DGukJ1fjN35IhHMwWYCBBOU7VGFUuBhdwi47vW4 qHI99Rkf1P6wpVygPTRMye0Z9T249XiYtDckverqEGT7jsYu0SBbK3ti/zbcSmXw upSAQRYa9GIklVe3GMd0CiD933YsxpCOqGtuhtwslPlbCh0Pd23FbRLFf+Sufojl 9hky7dbl/gKFjf2tHaenYdFun+mlP7bKpYzJ+Hghszw3BACpXeK+U+dcdg9wJTgy POejML3Kuo5jYnCmWahWuNCuSHepace2E36nm0hsAcC5ntePrKHI31fo9nmiyz/4 1XmUQ96HEl2CUVWFpcYbencf+412o3RGpETita26gUOK+iiBemEA4WWmfAI+9uo0 v3b014Jpyth25CV6uB4vSotbk5p191EBPaUVR7kMhMfx2YJZFWMXD+Hifi72vWjs oSpoojTiDCj6ctEocTGGnnqMSaO8bNjLOk5fvO0IyLcEjkLrMZEeXS8UsCsyMuQ5 XNncop2G6ABWbrrkpwkAJMoOoHqjQ48DDlPd4qHAJueYh6ENJr/WOVftG7htESo/ BTUtLmCOHdtR05xVf3Hn =t6oe -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
