Discussion:
[openstack-dev] [requirements][barbican][daisycloud][freezer][fuel][heat][pyghmi][rpm-packaging][solum][tatu][trove] pycrypto is dead and insecure, you should migrate
Matthew Thode
2018-05-13 17:22:06 UTC
Permalink
This is a reminder to the projects called out that they are using old,
unmaintained and probably insecure libraries (it's been dead since
2014). Please migrate off to use the cryptography library. We'd like
to drop pycrypto from requirements for rocky.

See also, the bug, which has most of you cc'd already.

https://bugs.launchpad.net/openstack-requirements/+bug/1749574

+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| Repository | Filename | Line | Text |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| barbican | requirements.txt | 25 | pycrypto>=2.6 # Public Domain |
| daisycloud-core | code/daisy/requirements.txt | 17 | pycrypto>=2.6 # Public Domain |
| freezer | requirements.txt | 21 | pycrypto>=2.6 # Public Domain |
| fuel-web | nailgun/requirements.txt | 24 | pycrypto>=2.6.1 |
| heat-cfnclient | requirements.txt | 2 | PyCrypto>=2.1.0 |
| pyghmi | requirements.txt | 1 | pycrypto>=2.6 |
| rpm-packaging | requirements.txt | 189 | pycrypto>=2.6 # Public Domain |
| solum | requirements.txt | 24 | pycrypto>=2.6 # Public Domain |
| tatu | requirements.txt | 7 | pycrypto>=2.6.1 |
| tatu | test-requirements.txt | 7 | pycrypto>=2.6.1 |
| trove | integration/scripts/files/requirements/fedora-requirements.txt | 30 | pycrypto>=2.6 # Public Domain |
| trove | integration/scripts/files/requirements/ubuntu-requirements.txt | 29 | pycrypto>=2.6 # Public Domain |
| trove | requirements.txt | 47 | pycrypto>=2.6 # Public Domain |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
--
Matthew Thode (prometheanfire)
Zane Bitter
2018-05-15 16:25:04 UTC
Permalink
Post by Matthew Thode
This is a reminder to the projects called out that they are using old,
unmaintained and probably insecure libraries (it's been dead since
2014). Please migrate off to use the cryptography library. We'd like
to drop pycrypto from requirements for rocky.
See also, the bug, which has most of you cc'd already.
https://bugs.launchpad.net/openstack-requirements/+bug/1749574
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| Repository | Filename | Line | Text |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| barbican | requirements.txt | 25 | pycrypto>=2.6 # Public Domain |
| daisycloud-core | code/daisy/requirements.txt | 17 | pycrypto>=2.6 # Public Domain |
| freezer | requirements.txt | 21 | pycrypto>=2.6 # Public Domain |
| fuel-web | nailgun/requirements.txt | 24 | pycrypto>=2.6.1 |
| heat-cfnclient | requirements.txt | 2 | PyCrypto>=2.1.0 |
AFAICT heat-cfnclient isn't actually using PyCrypto, even though it's
listed in requirements.txt. The whole project is just a light wrapper
around python-boto (though this wasn't always the case IIRC), so I
suspect it's just relying on boto for all of the auth stuff.
Post by Matthew Thode
| pyghmi | requirements.txt | 1 | pycrypto>=2.6 |
| rpm-packaging | requirements.txt | 189 | pycrypto>=2.6 # Public Domain |
| solum | requirements.txt | 24 | pycrypto>=2.6 # Public Domain |
| tatu | requirements.txt | 7 | pycrypto>=2.6.1 |
| tatu | test-requirements.txt | 7 | pycrypto>=2.6.1 |
| trove | integration/scripts/files/requirements/fedora-requirements.txt | 30 | pycrypto>=2.6 # Public Domain |
| trove | integration/scripts/files/requirements/ubuntu-requirements.txt | 29 | pycrypto>=2.6 # Public Domain |
| trove | requirements.txt | 47 | pycrypto>=2.6 # Public Domain |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/
Matthew Thode
2018-05-15 17:05:39 UTC
Permalink
Post by Matthew Thode
This is a reminder to the projects called out that they are using old,
unmaintained and probably insecure libraries (it's been dead since
2014). Please migrate off to use the cryptography library. We'd like
to drop pycrypto from requirements for rocky.
See also, the bug, which has most of you cc'd already.
https://bugs.launchpad.net/openstack-requirements/+bug/1749574
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| Repository | Filename | Line | Text |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| barbican | requirements.txt | 25 | pycrypto>=2.6 # Public Domain |
| daisycloud-core | code/daisy/requirements.txt | 17 | pycrypto>=2.6 # Public Domain |
| freezer | requirements.txt | 21 | pycrypto>=2.6 # Public Domain |
| fuel-web | nailgun/requirements.txt | 24 | pycrypto>=2.6.1 |
| heat-cfnclient | requirements.txt | 2 | PyCrypto>=2.1.0 |
AFAICT heat-cfnclient isn't actually using PyCrypto, even though it's listed
in requirements.txt. The whole project is just a light wrapper around
python-boto (though this wasn't always the case IIRC), so I suspect it's
just relying on boto for all of the auth stuff.
Thanks for the notice, submitted a review to remove it.
https://review.openstack.org/568646
Post by Matthew Thode
| pyghmi | requirements.txt | 1 | pycrypto>=2.6 |
| rpm-packaging | requirements.txt | 189 | pycrypto>=2.6 # Public Domain |
| solum | requirements.txt | 24 | pycrypto>=2.6 # Public Domain |
| tatu | requirements.txt | 7 | pycrypto>=2.6.1 |
| tatu | test-requirements.txt | 7 | pycrypto>=2.6.1 |
| trove | integration/scripts/files/requirements/fedora-requirements.txt | 30 | pycrypto>=2.6 # Public Domain |
| trove | integration/scripts/files/requirements/ubuntu-requirements.txt | 29 | pycrypto>=2.6 # Public Domain |
| trove | requirements.txt | 47 | pycrypto>=2.6 # Public Domain |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Matthew Thode (prometheanfire)
Javier Pena
2018-05-16 09:53:14 UTC
Permalink
----- Original Message -----
Post by Matthew Thode
This is a reminder to the projects called out that they are using old,
unmaintained and probably insecure libraries (it's been dead since
2014). Please migrate off to use the cryptography library. We'd like
to drop pycrypto from requirements for rocky.
See also, the bug, which has most of you cc'd already.
https://bugs.launchpad.net/openstack-requirements/+bug/1749574
In the rpm-packaging case, the requirements.txt file is not actually a list of requirements for the project, but a copy of the requirements project upper-constraints.txt file (a bit outdated now).

Regards,
Javier
Post by Matthew Thode
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| Repository | Filename
| | Line | Text
| |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
| barbican | requirements.txt
| | 25 | pycrypto>=2.6
| # Public Domain |
| daisycloud-core | code/daisy/requirements.txt
| | 17 | pycrypto>=2.6 # Public
| Domain |
| freezer | requirements.txt
| | 21 | pycrypto>=2.6
| # Public Domain |
| fuel-web | nailgun/requirements.txt
| | 24 | pycrypto>=2.6.1
| |
| heat-cfnclient | requirements.txt
| | 2 |
| PyCrypto>=2.1.0 |
| pyghmi | requirements.txt
| | 1 | pycrypto>=2.6
| |
| rpm-packaging | requirements.txt
| | 189 | pycrypto>=2.6
| # Public Domain |
| solum | requirements.txt
| | 24 | pycrypto>=2.6
| # Public Domain |
| tatu | requirements.txt
| | 7 |
| pycrypto>=2.6.1 |
| tatu | test-requirements.txt
| | 7 | pycrypto>=2.6.1
| |
| trove |
| integration/scripts/files/requirements/fedora-requirements.txt | 30
| | pycrypto>=2.6 # Public Domain |
| trove |
| integration/scripts/files/requirements/ubuntu-requirements.txt | 29
| | pycrypto>=2.6 # Public Domain |
| trove | requirements.txt
| | 47 | pycrypto>=2.6
| # Public Domain |
+----------------------------------------+---------------------------------------------------------------------+------+---------------------------------------------------+
--
Matthew Thode (prometheanfire)
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.o
Ade Lee
2018-05-16 15:31:43 UTC
Permalink
Thanks for the reminder. We replaced the pycrypto code in Barbican but
forgot to remove the dependency in requirements.txt. A review has
been added to do this.

https://review.openstack.org/568879
Post by Matthew Thode
This is a reminder to the projects called out that they are using old,
unmaintained and probably insecure libraries (it's been dead since
2014). Please migrate off to use the cryptography library. We'd like
to drop pycrypto from requirements for rocky.
See also, the bug, which has most of you cc'd already.
https://bugs.launchpad.net/openstack-requirements/+bug/1749574
+----------------------------------------+---------------------------
------------------------------------------+------+-------------------
--------------------------------+
Post by Matthew Thode
Repository |
Filename
| Line | Text |
+----------------------------------------+---------------------------
------------------------------------------+------+-------------------
--------------------------------+
Post by Matthew Thode
barbican |
requirements.txt
| 25 | pycrypto>=2.6 # Public Domain |
daisycloud-core |
code/daisy/requirements.txt
| 17 | pycrypto>=2.6 # Public Domain |
freezer |
requirements.txt
| 21 | pycrypto>=2.6 # Public Domain |
fuel-web |
nailgun/requirements.txt
| 24 | pycrypto>=2.6.1 |
heat-cfnclient |
requirements.txt
| 2 | PyCrypto>=2.1.0 |
pyghmi |
requirements.txt
| 1 | pycrypto>=2.6 |
rpm-packaging |
requirements.txt
| 189 | pycrypto>=2.6 # Public Domain |
solum |
requirements.txt
| 24 | pycrypto>=2.6 # Public Domain |
tatu |
requirements.txt
| 7 | pycrypto>=2.6.1 |
tatu | test-
requirements.txt |
7 | pycrypto>=2.6.1 |
trove |
integration/scripts/files/requirements/fedora-
requirements.txt | 30 | pycrypto>=2.6 # Public
Domain |
trove |
integration/scripts/files/requirements/ubuntu-
requirements.txt | 29 | pycrypto>=2.6 # Public
Domain |
trove |
requirements.txt
| 47 | pycrypto>=2.6 # Public Domain |
+----------------------------------------+---------------------------
------------------------------------------+------+-------------------
--------------------------------+
_____________________________________________________________________
_____
OpenStack Development Mailing List (not for usage questions)
cribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Loading...