On 09/19/2017 08:22 AM, Jeremy Cline wrote: > Hey folks, > > I'd like to propose that we build a newer version of pyOpenSSL for EL7. > The version provided by base RHEL is 0.13.1. We need at least 16.1.0. > > The motivation for this proposal is that at the moment, fedmsg has two > implementations of message signing and verification. The first is based > on M2Crypto and m2ext, while the second is based on cryptography and > pyOpenSSL. > > The reason there are two implementations is that M2Crypto does not > support Python 3. Python 2 reaches end of life in 30 months. fedmsg is a > dependency of nearly every Infrastructure application and thus it > supporting Python 3 is critical so that we can start the process of > supporting Python 3 in our applications. > > In order to provide a Python 3 build of fedmsg for EL7, we need to build > a newer pyOpenSSL. I reviewed the changelogs[0][1] and from what I can > tell APIs were only extended until pyOpenSSL-17.1.0, at which point > several backwards-incompatible changes were made. I believe we could > safely update to 17.0.0 without breaking applications that depend on it. > > I've made a small list of pros and cons to doing this: ...snip... > What do people think? Is it worth the headache/risk? Could we build the new pyOpenSSL/cryptography for epel7, but as python3 only? (so it doesn't override the base rhel one)? I suppose that would force a massive amount of upfront porting to python3 that would be difficult? I guess I'd be ok doing this (we are kind of in a bad place, so none of the choices are great), but we should get at least 3-4 of us to watch commits on the fedora pyOpenSSL and cryptography to make sure we see issues/bugs/updates as they happen? kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
