Hey folks, I'd like to propose that we build a newer version of pyOpenSSL for EL7. The version provided by base RHEL is 0.13.1. We need at least 16.1.0. The motivation for this proposal is that at the moment, fedmsg has two implementations of message signing and verification. The first is based on M2Crypto and m2ext, while the second is based on cryptography and pyOpenSSL. The reason there are two implementations is that M2Crypto does not support Python 3. Python 2 reaches end of life in 30 months. fedmsg is a dependency of nearly every Infrastructure application and thus it supporting Python 3 is critical so that we can start the process of supporting Python 3 in our applications. In order to provide a Python 3 build of fedmsg for EL7, we need to build a newer pyOpenSSL. I reviewed the changelogs[0][1] and from what I can tell APIs were only extended until pyOpenSSL-17.1.0, at which point several backwards-incompatible changes were made. I believe we could safely update to 17.0.0 without breaking applications that depend on it. I've made a small list of pros and cons to doing this: Cons ---- * Building a package provided by RHEL's base repository. * Some risk of breaking applications and libraries using pyOpenSSL. * We have to maintain it and keep an eye open for any CVEs. * Even if we do this, fedmsg has to continue to carry the M2Crypto code unless we want to stop updating fedmsg in EPEL (I'm open to this, but I'm biased - I really don't want to maintain M2Crypto code). Pros ---- * Applications have an easier time porting to Python 3. New applications can seriously consider being Python 3 only. * A single code path for signing and validating messages for our applications. What do people think? Is it worth the headache/risk? [0] https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt#L188 [1] https://pyopenssl.org/en/stable/changelog.html -- Jeremy Cline XMPP: jeremy@xxxxxxxxxx IRC: jcline
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
