Open nrbgt opened 5 years ago
Yes please @nrbgt pullrequest away, happy to merge it in all the good crypto improvements!
From your assessment, I would keep shade
in place, since it's the main reason I put this feedstock together as opposed to use the regular PyPi ansible.
My reason for this is that conda is heavily used in legacy HPC environments that happen to have semi-working, poorly maintained, OpenStack clouds.
boto
came in super handy to migrate away to HPC into AWS (in my case).
In other words I, this feedstock provides an easy way for busy people to move away from broken academic clusters into much better maintained commercial clouds... boto was ok to install on the side, but shade was specially painful to install alongside and that's why I bundled it in.
As you see, I have opinions shaped by experience, but I'm very happy to accept your contributions if the UX for assisting people to leave crusty HPC environments is kept simple.
Switching to pycryptodome should be easy
@mariusvniekerk Go ahead, happy to merge PRs :)
Thanks for making this available!
Had a look into it, and there are some issues that, while everything still works, are less-than-ideal.
pycrypto
ansible
hasn't had a hard dependency on the abandonedpycrypto
for some time. This is a problem for at least one CVE and who knows how many more. We could:pycrypto
feedstock (e.g. use the debian patch)safety
) will continue to find issues with this, because the pypi upstream is probably never going to get fixed at this pointpycryptodome
cryptography
ansible
started preferringcryptography
topycrypto
over two years ago, but still supports both APIs, so it seems like the last option is most in line with the upstream.httplib2
Was never a hard dependency, and some behavior has been re-implemented for what is remaining. Some of the contrib stuff (which we don't even distribute) does use it, but...
boto
,shade
, ...it's very unlikely you'd use both at once, and if these two, why not GCP/Azure/RedShift/whatever else is supported in the huge
contrib
library? We could introduce multiple outputs that did do this, move currentansible
toansible-core
, and leaveansible
as a metapackage, but bleah. I'd be more inclined to just not include these, as you'll know, and likely want to manage, the version of your provider-specific library.paramiko
Really torn on this. This is no longer a hard dependency, and the
local
connection will work fine without it, BUT it seems like keeping is a good idea. Again, as a security-related library, it's probably worth a look at a sensible bottom pin for this.Happy to work up a PR!