Proposal: updated pyOpenSSL in the epel7-infra repository

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey folks,

I'd like to propose that we build a newer version of pyOpenSSL for EL7.
The version provided by base RHEL is 0.13.1. We need at least 16.1.0.

The motivation for this proposal is that at the moment, fedmsg has two
implementations of message signing and verification. The first is based
on M2Crypto and m2ext, while the second is based on cryptography and
pyOpenSSL.

The reason there are two implementations is that M2Crypto does not
support Python 3. Python 2 reaches end of life in 30 months. fedmsg is a
dependency of nearly every Infrastructure application and thus it
supporting Python 3 is critical so that we can start the process of
supporting Python 3 in our applications.

In order to provide a Python 3 build of fedmsg for EL7, we need to build
a newer pyOpenSSL. I reviewed the changelogs[0][1] and from what I can
tell APIs were only extended until pyOpenSSL-17.1.0, at which point
several backwards-incompatible changes were made. I believe we could
safely update to 17.0.0 without breaking applications that depend on it.

I've made a small list of pros and cons to doing this:

Cons
----

* Building a package provided by RHEL's base repository.

* Some risk of breaking applications and libraries using pyOpenSSL.

* We have to maintain it and keep an eye open for any CVEs.

* Even if we do this, fedmsg has to continue to carry the M2Crypto
  code unless we want to stop updating fedmsg in EPEL (I'm open to
  this, but I'm biased - I really don't want to maintain M2Crypto code).

Pros
----

* Applications have an easier time porting to Python 3. New applications
  can seriously consider being Python 3 only.

* A single code path for signing and validating messages for our
  applications.


What do people think? Is it worth the headache/risk?


[0] https://github.com/pyca/pyopenssl/blob/master/doc/ChangeLog_old.txt#L188
[1] https://pyopenssl.org/en/stable/changelog.html

-- 
Jeremy Cline
XMPP: jeremy@xxxxxxxxxx
IRC:  jcline

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux