Limit cryptography version in odoo requirements

[kafai-lam]

When odoo env was setup with odootools manage setup 15.0, cryptography>=37.0.0 will be installed which is incompatible to odoo 15.0. According to https://github.com/odoo/odoo/pull/99829, it will be better to pin cryptography==2.6.1

[kafai-lam]

@llacroix continues discussion from #8

The error message is like following when I run odootools db init dev or init database with just odoo command

❯ odootools db init dev
Couldn't load module web
module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
Failed to load server-wide module `web`.
The `web` module is provided by the addons found in the `openerp-web` project.
Maybe you forgot to add those addons in your addons_path configuration.
Traceback (most recent call last):
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/service/server.py", line 1210, in load_server_wide_modules
    odoo.modules.module.load_openerp_module(m)
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/modules/module.py", line 396, in load_openerp_module
    __import__('odoo.addons.' + module_name)
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/web/__init__.py", line 4, in <module>
    from . import controllers
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/web/controllers/__init__.py", line 4, in <module>
    from . import main
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/web/controllers/main.py", line 34, in <module>
    from odoo.addons.base.models.ir_qweb import render as qweb_render
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/base/__init__.py", line 5, in <module>
    from . import models
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/base/models/__init__.py", line 23, in <module>
    from . import ir_mail_server
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/base/models/ir_mail_server.py", line 19, in <module>
    from OpenSSL import crypto as SSLCrypto
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/OpenSSL/crypto.py", line 1553, in <module>
    class X509StoreFlags(object):
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
Couldn't load module base
module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
Failed to load server-wide module `base`.
Traceback (most recent call last):
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/service/server.py", line 1210, in load_server_wide_modules
    odoo.modules.module.load_openerp_module(m)
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/modules/module.py", line 396, in load_openerp_module
    __import__('odoo.addons.' + module_name)
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/base/__init__.py", line 5, in <module>
    from . import models
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/base/models/__init__.py", line 23, in <module>
    from . import ir_mail_server
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/odoo/addons/base/models/ir_mail_server.py", line 19, in <module>
    from OpenSSL import crypto as SSLCrypto
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/OpenSSL/crypto.py", line 1553, in <module>
    class X509StoreFlags(object):
  File "/Users/fai/Repositories/poc/odootools-setup/.venv/lib/python3.10/site-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
    CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK

related issue: https://github.com/odoo/odoo/issues/99809

[llacroix]

Could you try with cryptography==36.0.0 or even simply cryptography<37

That's what I have installed but can confirm that it's broken with 37.

[llacroix]

Ok, I gave a second look and checked the linked issues/PRs.

It seems that the version of PyOpenSSL is still at 19 because they're likely using debian but debian is always a bit behind in its versions. Fedora 36 uses PyOpenSSL 21, ubuntu 22.04 uses 21. The next release of Debian is planning to use PyOpenSSL 21 but the current one uses 20.

Since PyOpenSSL sets its own dependencies on the cryptography module. I'd rather set the version of PyOpenssl to something higher than >= 21 to ensure cryptography can be upgraded without issue and add cryptography dependencies without requirements as it's technically managed already by OpenSSL to set a minimum bound.

If someone need more restrictive dependencies, it could be handled by manually by installing a third module that restrict it further.

From my own personal tests, it seems to work fine with 21.0 and 22.0 of PyOpenSSL. And the cryptography version is correctly installed.

I don't see why we'd want to be forced to use 19 and it can be upgraded to 21 without issues even with debian.

[kafai-lam]

I get similar result, change to pyopenssl>=21 should be great

[llacroix]

I did some tests and it seems fine. I also added the file for 16.0 but no tests running for 16.0 I'll enable them when there will be an official release. It's possible to install 16.0 from github thought.