So, pycrypto decided to rename themselves a while ago. At the same time they did an ABI change. This is causing projects that dep on them to have to handle both at the same time. While some projects have migrated, most have not.
A problem has come up where a project has a CVE (pysaml2) and the fix is
only in versions after they changed to pycryptome. This means that in
order to consume the fix in a python-native way all the pycrypto
dependency would need to be updated to pycryptome in all projects in the
same namespace that pysaml2 is installed.
Possible solutions:
update everything to pycryptome
* would be the best going forward
* a ton of work very late in the cycle
have upstream pysaml2 release a fix based on the code before the change
* less work
* should still circle around and update the world in pike
* 4.0.2 was the last release 4.0.3 was the change
* would necessitate a 4.0.2.1 release
* tag was removed, can hopefully be recovered for checkout/branch
Here's the upstream bug to browse at your leisure :)
https://github.com/rohe/pysaml2/issues/366
--
Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
