[Twisted-Python] dropping old pyOpenSSL versions

Glyph Lefkowitz glyph at twistedmatrix.com
Thu Jul 7 13:50:25 MDT 2016


In the past, we've been very conservative about updating to require new versions of pyOpenSSL and cryptography.

Right now we have a patch, <https://github.com/twisted/twisted/pull/146> (<https://twistedmatrix.com/trac/ticket/8441#comment:1>), that I'd like to just land.  However, it establishes a dependency on a new version of pyOpenSSL, which transitively establishes a dependency on a new version of Cryptography.

Generally, my thinking has evolved over the last few years to think that security dependencies like this should move fast, especially on projects (like pyOpenSSL and cryptography specifically) that don't maintain "stable" branches which do security patch-releases.

In this specific case, the fix is not urgent; as it turns out, the netscape SPKI APIs actually do do the desired thing, which is just hashing the DER bytes of the key.  (At the time I made the change to use Netscape SPKI, I thought it might be including somet other junk in the hash; we just lucked out here.)  It's just a gross API for doing it which we should stop using now that better APIs have been exposed to do the same thing.

However, it bears discussing - what are the things that hold us to older versions of pyOpenSSL and cryptography?  Is there any good reason not to move our version pins forward whenever there's a new API or feature that we'd like, even for something simple like this cleanup?

My default position is "upgrade upgrade upgrade" so if there's not a lot of interest in this discussion I'll probably just land the PR in question as-is.

Thanks all,

-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-python/attachments/20160707/eebb28aa/attachment.html>


More information about the Twisted-Python mailing list