Subject: [openstack-dev] updating to pycryptome from
pycrypto



So, pycrypto decided to rename themselves a while ago. At the same time
they did an ABI change. This is causing projects that dep on them to
have to handle both at the same time. While some projects have
migrated, most have not.

A problem has come up where a project has a CVE (pysaml2) and the fix is
only in versions after they changed to pycryptome. This means that in
order to consume the fix in a python-native way all the pycrypto
dependency would need to be updated to pycryptome in all projects in the
same namespace that pysaml2 is installed.

Possible solutions:

update everything to pycryptome
* would be the best going forward
* a ton of work very late in the cycle

have upstream pysaml2 release a fix based on the code before the change
* less work
* should still circle around and update the world in pike
* 4.0.2 was the last release 4.0.3 was the change
* would necessitate a 4.0.2.1 release
* tag was removed, can hopefully be recovered for checkout/branch


Here's the upstream bug to browse at your leisure :)

https://github.com/rohe/pysaml2/issues/366

--
Matthew Thode (prometheanfire)

Attachment: signature.asc
Description: OpenPGP digital signature

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
...



Programming list archiving by: Enterprise Git Hosting