Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cryptography dependency #5898

Closed
eloquence opened this issue Apr 13, 2021 · 2 comments · Fixed by #5964
Closed

Update cryptography dependency #5898

eloquence opened this issue Apr 13, 2021 · 2 comments · Fixed by #5964
Assignees
@kushaldas
Labels
release blocker security
Milestone
2.0.0

Comments

@eloquence
Copy link
Member

The cryptography library is currently pinned at version 3.2.1, because 3.3 dropped Python 3.5 support, which is the version of Python included with Ubuntu 16.04.

After the full removal of Xenial support (#5725), we should be in a good position to update the cryptography library as part of the SecureDrop 2.0.0 release. We can consider:

  • version 3.3.2, which as of this writing is the last release with security fixes, and which was released prior to the inclusion of Rust code
  • the latest stable version at the time of release, which will introduce the Rust build requirement.
@eloquence eloquence added this to the 2.0.0 milestone Apr 13, 2021
@eloquence eloquence added this to Next sprint candidates in SecureDrop Team Board Apr 13, 2021
@eloquence eloquence modified the milestones: 2.0.0, 1.9.0 Apr 15, 2021
@eloquence eloquence moved this from Next sprint candidates to SecureDrop Sprint #69 - 4/15-4/28 in SecureDrop Team Board Apr 15, 2021
@eloquence eloquence removed the blocked label May 3, 2021
@eloquence
Copy link
Member Author

With #5911 merged, this should now be unblocked.

@kushaldas
Copy link
Contributor

For the 2.0.0 release, I suggest to move to the 3.3.2 as we can easily build it from the sources, and then in the next release we can change the build process to use the prebuilt wheels from our workflow/git repository.

@kushaldas kushaldas self-assigned this May 25, 2021
@kushaldas kushaldas moved this from SecureDrop Sprint #71 (5/20-6/2) to In Development in SecureDrop Team Board May 25, 2021
kushaldas added a commit that referenced this issue May 27, 2021
@kushaldas
Fixes #5898 Adds latest cryptography
38ffa20 
This commit brings in the rust compiler toolchain during the package
build and also updates the cryptography package to the latest 3.4.7
@kushaldas kushaldas mentioned this issue May 27, 2021
Merged
13 tasks
kushaldas added a commit that referenced this issue Jun 1, 2021
@kushaldas
Fixes #5898 Adds latest cryptography 3.4.7
a9c09d8 
Updates the cryptography package to the latest 3.4.7
zenmonkeykstop pushed a commit that referenced this issue Jun 1, 2021
@kushaldas @zenmonkeykstop
Fixes #5898 Adds latest cryptography 3.4.7
eabf0dd 
Updates the cryptography package to the latest 3.4.7
@eloquence eloquence removed this from In Development in SecureDrop Team Board Jun 1, 2021
@rmol rmol closed this as completed in #5964 Jun 1, 2021
rmol added a commit that referenced this issue Jun 1, 2021
@rmol
Merge pull request #5964 from freedomofpress/crptography_update_with_…
fdf2c28 
…rust

Fixes #5898 Adds latest cryptography
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kushaldas kushaldas

Labels
release blocker security
Projects
None yet
Milestone
2.0.0
Development

Successfully merging a pull request may close this issue.

Fixes #5898 Adds latest cryptography freedomofpress/securedrop
2 participants
@eloquence @kushaldas