Subject: Re: [openstack-dev] updating to pycryptome from

-----Original Message-----
From: Matthew Thode <[email protected]>
Reply: [email protected] <[email protected]>,
OpenStack Development Mailing List (not for usage questions)
<[email protected]>
Date: January 11, 2017 at 04:53:41
To: OpenStack Development Mailing List (not for usage questions)
<[email protected]>
Subject:  [openstack-dev] updating to pycryptome from pycrypto

> So, pycrypto decided to rename themselves a while ago. At the same time
> they did an ABI change. This is causing projects that dep on them to
> have to handle both at the same time. While some projects have
> migrated, most have not.
> A problem has come up where a project has a CVE (pysaml2) and the fix is
> only in versions after they changed to pycryptome. This means that in
> order to consume the fix in a python-native way all the pycrypto
> dependency would need to be updated to pycryptome in all projects in the
> same namespace that pysaml2 is installed.
> Possible solutions:
> update everything to pycryptome
> * would be the best going forward
> * a ton of work very late in the cycle
> have upstream pysaml2 release a fix based on the code before the change
> * less work
> * should still circle around and update the world in pike
> * 4.0.2 was the last release 4.0.3 was the change
> * would necessitate a release
> * tag was removed, can hopefully be recovered for checkout/branch
> Here's the upstream bug to browse at your leisure :)

I don't think pycrypto actually willfully renamed itself. [1] As I
understand it, pycryptome is a fork of pycrypto made after pycrypto
decided that they wanted to tell people to use pyca/cryptography
instead. Frankly, given pycrypto's history (and the history that
pycryptome has probably inherited), I'd suspect that the best effort
for those of us interested, is to help pysaml2 express the deficits it
has with cryptography so it can move to a better project. If there are
no deficits, then we should focus on helping pysaml2 port to

[1]: I'm verifying this with some people who know better

Ian Cordasco

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe

Programming list archiving by: Enterprise Git Hosting