[Twisted-Python] dropping old pyOpenSSL versions

Tristan Seligmann mithrandi at mithrandi.net
Thu Jul 7 16:03:45 MDT 2016


On Thu, 7 Jul 2016 at 23:07 Clayton Daley <clayton.daley at gmail.com> wrote:

> I don't object to this specific change (we're on shiny new code), but want
> to offer some food-for-thought:
>
> 1) Is newer really better in cryptography?  Heartbleed affected 1.0.1, but
> not 1.0.0 and there are a bunch of vulnerabilities that only affect the
> newer libraries (https://www.openssl.org/news/vulnerabilities.html).  It
> even makes sense that the older libraries have been more-thoroughly
> tested... so new code may just mean new vulnerabilities.
>

First of all, newer cryptography and newer OpenSSL are different things.
Given that cryptography itself is mostly made of Python and cffi, not C
code, I think it's unlikely that a newer version of cryptography is likely
to be worse than an older one. Older libraries being "more thoroughly
tested" only really applies where a library has a plethora of simultaneous
release channels; for most libraries, using older versions just means
missing out on any fixes for issues that were found more recently than the
release was released.

Even regarding OpenSSL, which is a horrible pile of C, it's unlikely that
the potential of another *Heartbleed*-like issue is more dangerous than the
lack of actual known improvements.

2) How does this impact regulated industries.  In healthcare (my current
> industry), changing a library (especially cryptography) could mean:
>
>    - An internal review to select a new version of the library
>    - An internal change management process
>    - Technical testing (perhaps a 3rd party audit)
>    - A notification to clients of the change
>    - Secondary reviews/testing at clients
>
> The intensity of this process depends on the risk level of the system and
> this could be a long and complicated process for some organizations.  Seems
> like a more deliberate deprecation policy would make it easier to plan
> ahead.
>

Wouldn't all of the above apply equally to the new version of Twisted? I
would imagine you could upgrade Twisted and cryptography at the same time,
thus only doing one round of testing/review/etc. for both. (Perhaps I'm
missing something?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20160707/dc5808f0/attachment-0002.html>


More information about the Twisted-Python mailing list