Skip to content

Remove cryptography upper version bound #515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vkomarov-r7 opened this issue Feb 8, 2023 · 6 comments
Closed

Remove cryptography upper version bound #515

vkomarov-r7 opened this issue Feb 8, 2023 · 6 comments
Labels
SDK Issue pertains to the SDK itself and not specific to any service

Comments

@vkomarov-r7
Copy link

Hey there, wanted to open a follow-on issue to #343. Would it be possible for you guys to remove the <39.0.0 part in the cryptography package? The same case as described previous issue has occurred again (via https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-3315328).

The fix is in version 39.0.1, but nobody that also depends on oci can update at this time.

I believe this should be a safe change for projects to make based on cryptography's API Stability Policy, which states that:

  • Public APIs will not be removed or renamed without providing a compatibility alias.
  • The behavior of existing APIs will not change.
@github-anurag
Copy link
Member

@vkomarov-r7
Thanks for bringing this up. We are evaluating moving the upperbound to support 39.0.1, but we need to think about it a bit because it seems 39.0.1 drops support for certain OS versions and OpenSSL versions, and we’re worried about negatively impacting our existing users on those OpenSSL versions / OS versions.

Refer: https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#3900---2023-01-01

@KartikShrikantHegde KartikShrikantHegde added the SDK Issue pertains to the SDK itself and not specific to any service label Feb 9, 2023
@alexenoname
Copy link

I join @vkomarov-r7 in his request. It seems that only "cryptography==39.0.1" fixes CVE-2023-0401 and CVE-2023-0286 vulnerabilities. These vulnerabilities are marked as HIGH by various vulnerability scanners thus making usage of your library a security risk.

Will really appreciate your effort on this one.

@ahopkins
Copy link

This is a real blocker for us. Libs with upper bounds is bad practice for downstream users' applications. Please consider heavily removing this boundary and dealing with various version limitations in your code for compat issues.

@vkomarov-r7
Copy link
Author

vkomarov-r7 commented Feb 28, 2023
edited
Loading

@github-anurag: @vkomarov-r7 Thanks for bringing this up. We are evaluating moving the upperbound to support 39.0.1, but we need to think about it a bit because it seems 39.0.1 drops support for certain OS versions and OpenSSL versions, and we’re worried about negatively impacting our existing users on those OpenSSL versions / OS versions.

Refer: https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst#3900---2023-01-01

That makes sense. If there are backwards-incompatible changes that need to be made (and they can't be corrected in the code), would you consider releasing this change in a 3.0.0 version of the package?

@bhagwatvyas
Copy link
Member

Hi all, we are testing the changes internally for supporting 39.0.1. I expect that we will have the version with the fix out in the next 2 weeks.

@oci-dex-release-bot oci-dex-release-bot mentioned this issue Mar 14, 2023
Merged
@bhagwatvyas
Copy link
Member

This has been fixed in version 2.95.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
SDK Issue pertains to the SDK itself and not specific to any service
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ahopkins @jodoglevy @bhagwatvyas @github-anurag @KartikShrikantHegde @vkomarov-r7 @alexenoname