Sounds like a good candidate for a cross-project release goal. A non-controversial situation, the work is a no-op for most, a specific deliverable for a few, and a mechanism to close the loop and make sure it gets done in a specific timeframe?
Thanks for surfacing it Matthew. -amrith -----Original Message----- From: Davanum Srinivas [mailto:dava...@gmail.com] Sent: Wednesday, March 8, 2017 2:30 PM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [requirements] pycrypto is dead, long live pycryptodome... or cryptography... Ack thanks Matthew! On Wed, Mar 8, 2017 at 2:24 PM, Matthew Thode <prometheanf...@gentoo.org> wrote: > I'm aware, iirc it was brought up when pysaml2 had to be fixed due to > a CVE. This thread is more looking for a long term fix. > > On 03/08/2017 01:11 PM, Davanum Srinivas wrote: >> Matthew, >> >> Please see the last time i took inventory: >> https://review.openstack.org/#/q/pycryptodome+owner:dims-v >> >> Thanks, >> Dims >> >> On Wed, Mar 8, 2017 at 2:03 PM, Matthew Thode <prometheanf...@gentoo.org> wrote: >>> So, pycrypto upstream is dead and has been for a while, we should >>> look at moving off of it for both bugfix and security reasons. >>> >>> Currently it's used by the following. >>> >>> barbican, cinder, trove, glance, heat, keystoneauth, >>> keystonemiddleware, kolla, openstack-ansible, and a couple of other smaller places. >>> >>> Development of it was forked into pycryptodome, which is supposed to >>> be a drop in replacement. The problem is that due to >>> co-installability requirements we can't have half of packages out >>> there using pycrypto and the other half using pycryptodome. We'd >>> need to hard switch everyone as both packages install into the same namespace. >>> >>> Another alternative would be to use something like cryptography >>> instead, though it is not a drop in replacement, the migration would >>> be able to be done piecemeal. >>> >>> I'd be interested in hearing about migration plans, especially from >>> the affected projects. >>> >>> -- >>> Matthew Thode (prometheanfire) >>> >>> >>> ____________________________________________________________________ >>> ______ OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> >> > > > -- > Matthew Thode (prometheanfire) > > > ______________________________________________________________________ > ____ OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev