On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote: > Currently Kolla uses pycrypto in our requirements. I see a lot of > big tent projects moving to cryptography. Is this just my > imagination, or was there a decision on this from the requirements > team? We are happy to comply with whatever dep management is > considered appropriate for OpenStack ESPECIALLY as it relates to > security and crypto libraries.
The only "decision" I'm aware of from the requirements reviewers (long before it was an official team) was ~2.5 years ago when cryptography was introduced into global requirements by developers wishing to use it in Barbican: https://review.openstack.org/93794 Keystone seems to have added it into their own requirements soon thereafter, a little over 2 years ago, for access to fernet primitives to use in their lightweight token implementation: https://review.openstack.org/145317 Nova introduced it roughly 1.5 years ago to replace some hacky callouts to the openssl command-line utility in a number of functions: https://review.openstack.org/198246 I'm sure I could find more examples, but this demonstrates there's been a gradual uptake in the library in key parts of OpenStack over the course of years. Is there a particular recent addition of it in some project which took you by surprise? > I’d just like confirmation if we should move off pycrypto to > cryptography, or if these two things offer similar functionality, > or if I’m way off base here ☺. They both seem to be pretty solid and widely used, even though cryptography has much more recent origins and so is still seeing a lot more active development. This LWN article, ironically, describes the events leading to its origins and covering reasons why it's somewhat aligned with OpenStack-specific use cases: https://lwn.net/Articles/595790/ > An orthogonal question I have received from one of our community > members (Pavo on irc) is whether pycrypto (or if we move to > cryptography) provide FIPS-140-2 compliance. My understanding is that if you need, for example, a FIPS-compliant AES implementation under the hood, then this is dependent more on what backend libraries you're using... e.g., https://www.openssl.org/docs/fips.html https://www.openssl.org/docs/fipsvalidation.html -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
