In the past, we've been very conservative about updating to require new
versions of pyOpenSSL and cryptography.
Right now we have a patch, <https://github.com/twisted/twisted/pull/146>
(<https://twistedmatrix.com/trac/ticket/8441#comment:1>), that I'd like to just
land. However, it establishes a dependency on a new version of pyOpenSSL,
which transitively establishes a dependency on a new version of Cryptography.
Generally, my thinking has evolved over the last few years to think that
security dependencies like this should move fast, especially on projects (like
pyOpenSSL and cryptography specifically) that don't maintain "stable" branches
which do security patch-releases.
In this specific case, the fix is not urgent; as it turns out, the netscape
SPKI APIs actually do do the desired thing, which is just hashing the DER bytes
of the key. (At the time I made the change to use Netscape SPKI, I thought it
might be including somet other junk in the hash; we just lucked out here.)
It's just a gross API for doing it which we should stop using now that better
APIs have been exposed to do the same thing.
However, it bears discussing - what are the things that hold us to older
versions of pyOpenSSL and cryptography? Is there any good reason not to move
our version pins forward whenever there's a new API or feature that we'd like,
even for something simple like this cleanup?
My default position is "upgrade upgrade upgrade" so if there's not a lot of
interest in this discussion I'll probably just land the PR in question as-is.
Thanks all,
-glyph
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
