Skip to content

{Packaging} Loosen cryptography dependency #19639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 2 commits into from
Sep 28, 2021
Merged

{Packaging} Loosen cryptography dependency #19639

jiasli merged 2 commits into from
Sep 28, 2021

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Sep 22, 2021

Description

Reasons why we can loose the cryptography dependency now:

For upper bound

#15687 (comment) set an upper bound for cryptography due to pyca/cryptography#5771.

By following https://cryptography.io/en/latest/installation/#alpine, I am now able to install cryptography 3.4.8 on Alpine Linux (#19591). There is no need to set upper bound now.

For lower bound

Community packagers ask us not to bump the minimum dependency in setup.py as this causes trouble for platforms that doesn't support newer versions of cryptography (#15687 (comment)). By loosing the dependency on cryptography, users or packagers themselves are now responsible for security vulnerabilities in older versions of cryptography.

As we still pin the version in requirements.*.txt, packages distributed by us still contain cryptography which is security-complaint.

jiasli
jiasli commented Sep 22, 2021
View reviewed changes
@jiasli jiasli mentioned this pull request Sep 22, 2021
Merged
@jiasli jiasli changed the title {Packaging} Loose cryptography dependency {Packaging} Loosen cryptography dependency Sep 22, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Sep 22, 2021

Packaging

@yonzhan yonzhan added this to the Sep 2021 (2021-10-12) milestone Sep 22, 2021
@jiasli
Copy link
Member Author

jiasli commented Sep 22, 2021

@glaubitz, I have totally removed the lower bound. Will this suit your need?

@glaubitz
Copy link

glaubitz commented Sep 24, 2021

Is version 3.0 actually the absolute minimum that you need now? That is, is there functionality that you need that is not part of version 2.8?

@jiasli
Copy link
Member Author

jiasli commented Sep 24, 2021

We don't require >3.0 now. Any version works.

@glaubitz
Copy link

glaubitz commented Sep 24, 2021

Then either remove the version requirement or use at least 2.8 which is what SLE-12 and SLE-15 are shipping at the moment.

@jiasli
Copy link
Member Author

jiasli commented Sep 24, 2021
edited
Loading

Then either remove the version requirement

It is already removed.

https://github.com/Azure/azure-cli/pull/19639/files

image

@jiasli jiasli merged commit b84170e into Azure:dev Sep 28, 2021
@jiasli jiasli deleted the crypto branch September 28, 2021 05:33
This was referenced Oct 8, 2021
Merged
Merged
@jiasli jiasli mentioned this pull request Oct 16, 2021
Merged
@ziegenberg ziegenberg mentioned this pull request Mar 2, 2022
Merged
@jiasli jiasli mentioned this pull request Jan 11, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@calvinhzy calvinhzy calvinhzy approved these changes

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

Assignees

@jiasli jiasli

Labels

None yet

Projects

None yet

Milestone

Sep 2021 (2021-10-12)

Development

Successfully merging this pull request may close these issues.

Unpin cryptography package in azure-cli-core

5 participants

@jiasli @yonzhan @glaubitz @evelyn-ys @calvinhzy