brainstorm
commented
5 years ago Yes please @nrbgt pullrequest away, happy to merge it in all the good crypto improvements!
From your assessment, I would keep shade in place, since it's the main reason I put this feedstock together as opposed to use the regular PyPi ansible.
My reason for this is that conda is heavily used in legacy HPC environments that happen to have semi-working, poorly maintained, OpenStack clouds.
boto came in super handy to migrate away to HPC into AWS (in my case).
In other words I, this feedstock provides an easy way for busy people to move away from broken academic clusters into much better maintained commercial clouds... boto was ok to install on the side, but shade was specially painful to install alongside and that's why I bundled it in.
As you see, I have opinions shaped by experience, but I'm very happy to accept your contributions if the UX for assisting people to leave crusty HPC environments is kept simple.
mariusvniekerk
Thanks for making this available!
Had a look into it, and there are some issues that, while everything still works, are less-than-ideal.
pycryptoansiblehasn't had a hard dependency on the abandonedpycryptofor some time. This is a problem for at least one CVE and who knows how many more. We could:pycryptofeedstock (e.g. use the debian patch)safety) will continue to find issues with this, because the pypi upstream is probably never going to get fixed at this pointpycryptodomecryptographyansiblestarted preferringcryptographytopycryptoover two years ago, but still supports both APIs, so it seems like the last option is most in line with the upstream.httplib2Was never a hard dependency, and some behavior has been re-implemented for what is remaining. Some of the contrib stuff (which we don't even distribute) does use it, but...
boto,shade, ...it's very unlikely you'd use both at once, and if these two, why not GCP/Azure/RedShift/whatever else is supported in the huge
contriblibrary? We could introduce multiple outputs that did do this, move currentansibletoansible-core, and leaveansibleas a metapackage, but bleah. I'd be more inclined to just not include these, as you'll know, and likely want to manage, the version of your provider-specific library.paramikoReally torn on this. This is no longer a hard dependency, and the
localconnection will work fine without it, BUT it seems like keeping is a good idea. Again, as a security-related library, it's probably worth a look at a sensible bottom pin for this.Happy to work up a PR!