> On Dec 28, 2015, at 1:51 AM, Cory Benfield <c...@lukasa.co.uk > <mailto:c...@lukasa.co.uk>> wrote: > > >> On 28 Dec 2015, at 09:35, Hynek Schlawack <h...@ox.cx <mailto:h...@ox.cx>> >> wrote: >> >> Hi, >> >> we have quite a bit of pull requests on pyOpenSSL that revolve around >> improving the state of x509 objects in general as far as I understand it. >> >> Since I already got reprimanded by Alex G for merging one because >> cryptography has routines for that, I wonder if we should close them all as >> WONTFIX and instead add methods akin to `PKey.from_cryptography()`, >> `key_instance.to_cryptography()`. >> >> I welcome any feedback. The current pyOpenSSL situation which is mostly a >> swamp of guilt is becoming unbearable to me. When I took over >> maintainership I made it clear that I see myself mostly as a repo janitor >> and Bad Ideas Deflector™. Sadly that’s not working out at all. Getting rid >> of the burden of actually moving forward a whole sub-system might alleviate >> that a bit I guess (this is not meant as an ultimatum, I have no idea if >> it’d help). > > As official “sometimes helps Hynek when he feels sad” person, I’m strongly in > favour of deprecating whatever we can from PyOpenSSL if there is a good > alternative available (i.e. cryptography). It’s frustrating and perplexing > that installing PyOpenSSL gives you two interfaces for working with X509 > certs, and where the top layer is arguably *less* helpful (and definitely > more surprising) than the layer it uses to do the real work. > > To make this kind of deprecation work I think we definitely need a to/from > cryptography method to have been in place for a while, so I’m in favour of > this plan. Long term, however, I want PyOpenSSL stripped down to be only what > cryptography itself does not do.
Long term, shouldn't pyOpenSSL be removed entirely, and Cryptography just does everything? In the meanwhile though, I think that from_cryptography/to_cryptography are a good idea, and should contain a clear explanation of this plan: in other words, everyone using pyOpenSSL should start rewriting their applications to use the 'cryptography' objects as much as possible. Right now, things are in a bit of a muddled state; pyOpenSSL is still the only package available to do many things (in particular: TLS) but pull requests are being refused on the grounds that Cryptography has superseded it, when there still isn't a clear interop strategy. These methods (especially if properly documented) could really improve this situation. -glyph
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
