Re: [openstack-dev] updating to pycryptome from pycrypto
-Original Message- From: Ian Cordasco <sigmaviru...@gmail.com> Reply: Ian Cordasco <sigmaviru...@gmail.com> Date: January 11, 2017 at 11:09:11 To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] updating to pycryptome from pycrypto > -Original Message- > From: Matthew Thode > Reply: prometheanf...@gentoo.org , OpenStack Development > Mailing List (not for usage questions) > Date: January 11, 2017 at 04:53:41 > To: OpenStack Development Mailing List (not for usage questions) > Subject: [openstack-dev] updating to pycryptome from pycrypto > > > So, pycrypto decided to rename themselves a while ago. At the same time > > they did an ABI change. This is causing projects that dep on them to > > have to handle both at the same time. While some projects have > > migrated, most have not. > > > > A problem has come up where a project has a CVE (pysaml2) and the fix is > > only in versions after they changed to pycryptome. This means that in > > order to consume the fix in a python-native way all the pycrypto > > dependency would need to be updated to pycryptome in all projects in the > > same namespace that pysaml2 is installed. > > > > Possible solutions: > > > > update everything to pycryptome > > * would be the best going forward > > * a ton of work very late in the cycle > > > > have upstream pysaml2 release a fix based on the code before the change > > * less work > > * should still circle around and update the world in pike > > * 4.0.2 was the last release 4.0.3 was the change > > * would necessitate a 4.0.2.1 release > > * tag was removed, can hopefully be recovered for checkout/branch > > > > > > Here's the upstream bug to browse at your leisure :) > > > > https://github.com/rohe/pysaml2/issues/366 > > I don't think pycrypto actually willfully renamed itself. [1] As I understand > it, pycryptome > is a fork of pycrypto made after pycrypto decided that they wanted to tell > people to use > pyca/cryptography instead. Frankly, given pycrypto's history (and the history > that > pycryptome has probably inherited), I'd suspect that the best effort for > those of us > interested, is to help pysaml2 express the deficits it has with cryptography > so it can > move to a better project. If there are no deficits, then we should focus on > helping pysaml2 > port to cryptography. > > > [1]: I'm verifying this with some people who know better So I did verify that there are *several* hostile forks of PyCrypto. That said, the work to move pysaml2 to cryptography has been finished: https://github.com/rohe/pysaml2/pull/385 I'd ask OpenStackers to not start a brigade of +1s on the thread, but if y'all want to watch it and help convince the maintainer (*if* they need convincing) to merge this, that would be appreciated. Cheers, -- Ian Cordasco __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] updating to pycryptome from pycrypto
-Original Message- From: Matthew Thode <prometheanf...@gentoo.org> Reply: prometheanf...@gentoo.org <prometheanf...@gentoo.org>, OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Date: January 11, 2017 at 04:53:41 To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: [openstack-dev] updating to pycryptome from pycrypto > So, pycrypto decided to rename themselves a while ago. At the same time > they did an ABI change. This is causing projects that dep on them to > have to handle both at the same time. While some projects have > migrated, most have not. > > A problem has come up where a project has a CVE (pysaml2) and the fix is > only in versions after they changed to pycryptome. This means that in > order to consume the fix in a python-native way all the pycrypto > dependency would need to be updated to pycryptome in all projects in the > same namespace that pysaml2 is installed. > > Possible solutions: > > update everything to pycryptome > * would be the best going forward > * a ton of work very late in the cycle > > have upstream pysaml2 release a fix based on the code before the change > * less work > * should still circle around and update the world in pike > * 4.0.2 was the last release 4.0.3 was the change > * would necessitate a 4.0.2.1 release > * tag was removed, can hopefully be recovered for checkout/branch > > > Here's the upstream bug to browse at your leisure :) > > https://github.com/rohe/pysaml2/issues/366 I don't think pycrypto actually willfully renamed itself. [1] As I understand it, pycryptome is a fork of pycrypto made after pycrypto decided that they wanted to tell people to use pyca/cryptography instead. Frankly, given pycrypto's history (and the history that pycryptome has probably inherited), I'd suspect that the best effort for those of us interested, is to help pysaml2 express the deficits it has with cryptography so it can move to a better project. If there are no deficits, then we should focus on helping pysaml2 port to cryptography. [1]: I'm verifying this with some people who know better Cheers, -- Ian Cordasco __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] updating to pycryptome from pycrypto
So, pycrypto decided to rename themselves a while ago. At the same time they did an ABI change. This is causing projects that dep on them to have to handle both at the same time. While some projects have migrated, most have not. A problem has come up where a project has a CVE (pysaml2) and the fix is only in versions after they changed to pycryptome. This means that in order to consume the fix in a python-native way all the pycrypto dependency would need to be updated to pycryptome in all projects in the same namespace that pysaml2 is installed. Possible solutions: update everything to pycryptome * would be the best going forward * a ton of work very late in the cycle have upstream pysaml2 release a fix based on the code before the change * less work * should still circle around and update the world in pike * 4.0.2 was the last release 4.0.3 was the change * would necessitate a 4.0.2.1 release * tag was removed, can hopefully be recovered for checkout/branch Here's the upstream bug to browse at your leisure :) https://github.com/rohe/pysaml2/issues/366 -- Matthew Thode (prometheanfire) signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
