settingsLogin | Registersettings

[openstack-dev] updating to pycryptome from pycrypto

0 votes

So, pycrypto decided to rename themselves a while ago. At the same time
they did an ABI change. This is causing projects that dep on them to
have to handle both at the same time. While some projects have
migrated, most have not.

A problem has come up where a project has a CVE (pysaml2) and the fix is
only in versions after they changed to pycryptome. This means that in
order to consume the fix in a python-native way all the pycrypto
dependency would need to be updated to pycryptome in all projects in the
same namespace that pysaml2 is installed.

Possible solutions:

update everything to pycryptome
* would be the best going forward
* a ton of work very late in the cycle

have upstream pysaml2 release a fix based on the code before the change
* less work
* should still circle around and update the world in pike
* 4.0.2 was the last release 4.0.3 was the change
* would necessitate a 4.0.2.1 release
* tag was removed, can hopefully be recovered for checkout/branch

Here's the upstream bug to browse at your leisure :)

https://github.com/rohe/pysaml2/issues/366

--
Matthew Thode (prometheanfire)


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

asked Jan 12, 2017 in openstack-dev by prometheanfire_at_ge (6,880 points)   1 4 5

2 Responses

0 votes

-----Original Message-----
From: Matthew Thode prometheanfire@gentoo.org
Reply: prometheanfire@gentoo.org prometheanfire@gentoo.org,
OpenStack Development Mailing List (not for usage questions)

Date: January 11, 2017 at 04:53:41
To: OpenStack Development Mailing List (not for usage questions)

Subject:  [openstack-dev] updating to pycryptome from pycrypto

So, pycrypto decided to rename themselves a while ago. At the same time
they did an ABI change. This is causing projects that dep on them to
have to handle both at the same time. While some projects have
migrated, most have not.

A problem has come up where a project has a CVE (pysaml2) and the fix is
only in versions after they changed to pycryptome. This means that in
order to consume the fix in a python-native way all the pycrypto
dependency would need to be updated to pycryptome in all projects in the
same namespace that pysaml2 is installed.

Possible solutions:

update everything to pycryptome
* would be the best going forward
* a ton of work very late in the cycle

have upstream pysaml2 release a fix based on the code before the change
* less work
* should still circle around and update the world in pike
* 4.0.2 was the last release 4.0.3 was the change
* would necessitate a 4.0.2.1 release
* tag was removed, can hopefully be recovered for checkout/branch

Here's the upstream bug to browse at your leisure :)

https://github.com/rohe/pysaml2/issues/366

I don't think pycrypto actually willfully renamed itself. [1] As I
understand it, pycryptome is a fork of pycrypto made after pycrypto
decided that they wanted to tell people to use pyca/cryptography
instead. Frankly, given pycrypto's history (and the history that
pycryptome has probably inherited), I'd suspect that the best effort
for those of us interested, is to help pysaml2 express the deficits it
has with cryptography so it can move to a better project. If there are
no deficits, then we should focus on helping pysaml2 port to
cryptography.

[1]: I'm verifying this with some people who know better

Cheers,
--
Ian Cordasco


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jan 11, 2017 by sigmavirus24_at_gmai (8,720 points)   2 2 3
0 votes

-----Original Message-----
From: Ian Cordasco sigmavirus24@gmail.com
Reply: Ian Cordasco sigmavirus24@gmail.com
Date: January 11, 2017 at 11:09:11
To: OpenStack Development Mailing List (not for usage questions)

Subject:  Re: [openstack-dev] updating to pycryptome from pycrypto

-----Original Message-----
From: Matthew Thode
Reply: prometheanfire@gentoo.org , OpenStack Development
Mailing List (not for usage questions)
Date: January 11, 2017 at 04:53:41
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] updating to pycryptome from pycrypto

So, pycrypto decided to rename themselves a while ago. At the same time
they did an ABI change. This is causing projects that dep on them to
have to handle both at the same time. While some projects have
migrated, most have not.

A problem has come up where a project has a CVE (pysaml2) and the fix is
only in versions after they changed to pycryptome. This means that in
order to consume the fix in a python-native way all the pycrypto
dependency would need to be updated to pycryptome in all projects in the
same namespace that pysaml2 is installed.

Possible solutions:

update everything to pycryptome
* would be the best going forward
* a ton of work very late in the cycle

have upstream pysaml2 release a fix based on the code before the change
* less work
* should still circle around and update the world in pike
* 4.0.2 was the last release 4.0.3 was the change
* would necessitate a 4.0.2.1 release
* tag was removed, can hopefully be recovered for checkout/branch

Here's the upstream bug to browse at your leisure :)

https://github.com/rohe/pysaml2/issues/366

I don't think pycrypto actually willfully renamed itself. [1] As I understand it, pycryptome
is a fork of pycrypto made after pycrypto decided that they wanted to tell people to use
pyca/cryptography instead. Frankly, given pycrypto's history (and the history that
pycryptome has probably inherited), I'd suspect that the best effort for those of us
interested, is to help pysaml2 express the deficits it has with cryptography so it can
move to a better project. If there are no deficits, then we should focus on helping pysaml2
port to cryptography.

[1]: I'm verifying this with some people who know better

So I did verify that there are several hostile forks of PyCrypto.
That said, the work to move pysaml2 to cryptography has been finished:
https://github.com/rohe/pysaml2/pull/385

I'd ask OpenStackers to not start a brigade of +1s on the thread, but
if y'all want to watch it and help convince the maintainer (if they
need convincing) to merge this, that would be appreciated.

Cheers,
--
Ian Cordasco


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jan 12, 2017 by sigmavirus24_at_gmai (8,720 points)   2 2 3
...