[Twisted-Python] dropping old pyOpenSSL versions

Clayton Daley clayton.daley at gmail.com
Thu Jul 7 17:00:47 MDT 2016


>
> First of all, newer cryptography and newer OpenSSL are different things.


The proposal was a change to pyOpenSSL.  If newer is better in all
(potentially) affected layers, then you've answered my question in the
affirmative.


> 2) How does this impact regulated industries.  In healthcare (my current
>> industry), changing a library (especially cryptography) could mean:
>>
>>    - An internal review to select a new version of the library
>>    - An internal change management process
>>    - Technical testing (perhaps a 3rd party audit)
>>    - A notification to clients of the change
>>    - Secondary reviews/testing at clients
>>
>> The intensity of this process depends on the risk level of the system and
>> this could be a long and complicated process for some organizations.  Seems
>> like a more deliberate deprecation policy would make it easier to plan
>> ahead.
>>
>
> Wouldn't all of the above apply equally to the new version of Twisted? I
> would imagine you could upgrade Twisted and cryptography at the same time,
> thus only doing one round of testing/review/etc. for both. (Perhaps I'm
> missing something?)
>

Regulations require an amount of scrutiny proportionate to the risk.  We're
small so it's not as obvious in our policies and procedures, but the
potential for big differences in process are exemplified by this paraphrase
from a vendor's document (since I'm not sure I can outright quote it):

Changes with a high rank are escalated to the individual in Role X and
> Committee Y for approval

Changes with a medium risk are escalated to the individual in Role X for
> approval

[presumably low risk changes aren't escalated]
>

So your question comes down to... is a point release in Twisted as risky as
a change to the cryptography stack? You'd certainly know better than I.

Clayton Daley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20160707/8b279a54/attachment-0002.html>


More information about the Twisted-Python mailing list