Use ranges in setup.py dependencies

[vkomarov-r7]

In the setup.py file, both configparser as well as cryptography are both pinned to absolute versions. This causes version conflicts when we use the oci library in our codebase. Would it be possible to move to using a minimum range instead?

e.g.: cryptography>=3.3.2

https://github.com/oracle/oci-python-sdk/blob/master/setup.py#L34-L35

[bhagwatvyas]

Hi @vkomarov-r7, the reason that the cryptography dependency is set to v3.3.2 is we have tested with, and have compliance and security approval to use v3.3.2. We are evaluating our use of configparser and may not use it in the future.

[vkomarov-r7]

Hey @bhagwatvyas: Thanks for your response.

Please be aware that pinning versions in this manner is itself a security vulnerability. By pinning the version of cryptography to a particular version, users of this library are unable to upgrade their cryptography versions until you do.

For example, the currently released version of cryptography is 3.4.7 which comes bundled with OpenSSL 1.1.1k, which includes security updates that users cannot take as a result of this explicit pinning.

If possible, please reconsider your policy on this. Here's a list of how other popular OSS packages use the cryptography package (notice how each one of them specifies a minimum version via >=):

• paramiko
• pyOpenSSL
• azure-identity

[bhagwatvyas]

Hi @vkomarov-r7, the latest version of the OCI Python SDK, v 2.40.1, allows a range for cryptography versions, starting from 3.2.1 up to 3.4.7.

[pabs3]

Looks like this issue can be closed now, all the dependencies in setup.py have version ranges.