-----Original Message----- From: Ian Cordasco <sigmaviru...@gmail.com> Reply: Ian Cordasco <sigmaviru...@gmail.com> Date: January 11, 2017 at 11:09:11 To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] updating to pycryptome from pycrypto
> -----Original Message----- > From: Matthew Thode > Reply: prometheanf...@gentoo.org , OpenStack Development > Mailing List (not for usage questions) > Date: January 11, 2017 at 04:53:41 > To: OpenStack Development Mailing List (not for usage questions) > Subject: [openstack-dev] updating to pycryptome from pycrypto > > > So, pycrypto decided to rename themselves a while ago. At the same time > > they did an ABI change. This is causing projects that dep on them to > > have to handle both at the same time. While some projects have > > migrated, most have not. > > > > A problem has come up where a project has a CVE (pysaml2) and the fix is > > only in versions after they changed to pycryptome. This means that in > > order to consume the fix in a python-native way all the pycrypto > > dependency would need to be updated to pycryptome in all projects in the > > same namespace that pysaml2 is installed. > > > > Possible solutions: > > > > update everything to pycryptome > > * would be the best going forward > > * a ton of work very late in the cycle > > > > have upstream pysaml2 release a fix based on the code before the change > > * less work > > * should still circle around and update the world in pike > > * 4.0.2 was the last release 4.0.3 was the change > > * would necessitate a 4.0.2.1 release > > * tag was removed, can hopefully be recovered for checkout/branch > > > > > > Here's the upstream bug to browse at your leisure :) > > > > https://github.com/rohe/pysaml2/issues/366 > > I don't think pycrypto actually willfully renamed itself. [1] As I understand > it, pycryptome > is a fork of pycrypto made after pycrypto decided that they wanted to tell > people to use > pyca/cryptography instead. Frankly, given pycrypto's history (and the history > that > pycryptome has probably inherited), I'd suspect that the best effort for > those of us > interested, is to help pysaml2 express the deficits it has with cryptography > so it can > move to a better project. If there are no deficits, then we should focus on > helping pysaml2 > port to cryptography. > > > [1]: I'm verifying this with some people who know better So I did verify that there are *several* hostile forks of PyCrypto. That said, the work to move pysaml2 to cryptography has been finished: https://github.com/rohe/pysaml2/pull/385 I'd ask OpenStackers to not start a brigade of +1s on the thread, but if y'all want to watch it and help convince the maintainer (*if* they need convincing) to merge this, that would be appreciated. Cheers, -- Ian Cordasco __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
