From readthedocs at readthedocs.org Sun Jun 4 17:48:35 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Sun, 04 Jun 2017 21:48:35 -0000 Subject: [Cryptography-dev] Failed: Cryptography (a8b1c6e9) Message-ID: <20170604214835.3008.14752@web03.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5515213/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Sun Jun 4 17:48:38 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Sun, 04 Jun 2017 21:48:38 -0000 Subject: [Cryptography-dev] Failed: Cryptography (e3ff364f) Message-ID: <20170604214838.2993.31527@web03.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5515214/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From hs at ox.cx Wed Jun 7 04:03:15 2017 From: hs at ox.cx (Hynek Schlawack) Date: Wed, 7 Jun 2017 10:03:15 +0200 Subject: [Cryptography-dev] pyOpenSSL Message-ID: Hi, This is not an easy e-mail for me to write so let's start with the hard part: I'm objectively being a terrible maintainer for pyOpenSSL. There's many reasons to that. I have a day job with lots of responsibilities. I have my own projects like attrs or structlog (which I also let down more often than I care for). Getting up at 6am on Saturdays to work on FOSS is not enough anymore to catch up with my obligations (and I've had enough of feeling bad for sleeping in on weekends). pyOpenSSL does all the things I need. Quite often, I also feel utterly unqualified for that job which leads to dragging Paul, Chris, or Cory into issues and PRs although they never signed up for that crap and I feel bad. I believe an important package like pyOpenSSL deserves better. And after two years I'm positive I'm not the person who can deliver that ?better.? I?m highly unlikely to have more time or motivation anytime soon. When I took over my plan was to help to lead pyOpenSSL into obsolescence by mostly janitoring and delegating to smarter people. What happened is that I'm receiving private e-mails I wish I wouldn't and that pyOpenSSL isn't going anywhere ? not least due to Python core blocking. On the bright side, I think I've managed to lead pyOpenSSL into a reasonably good state. A not entirely horrifying, modern-ish base others can build on. So I think this is a good moment to start a transition in maintainership. That said, I have no idea whom to pass the token to. I don't want to add burden to Paul or Cory who already do way too much. I want Chris to be able to focus on the stdlib. I don't think our resident C++ programmer would appreciate that burden. I just don't know. I'm certainly unhappy with my legacy here but I'm fed up to live in guilt. So yeah, there's that. ?h P.S FWIW, I do not intend to end my involvement with PyCA. I enormously enjoy working with y'all which is the only reason it took me so long to throw the towel. But I'd rather be a valuable contributor than a disappointing maintainer. From cory at lukasa.co.uk Wed Jun 7 04:39:24 2017 From: cory at lukasa.co.uk (Cory Benfield) Date: Wed, 7 Jun 2017 09:39:24 +0100 Subject: [Cryptography-dev] pyOpenSSL In-Reply-To: References: Message-ID: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> Hynek, Thanks for writing this email. For what it?s worth, I disagree with the premise, but let?s just grant it and discuss the future of PyOpenSSL. I think it?s safe to say that everyone with the commit bit has pretty lukewarm feelings towards PyOpenSSL. At this point it primarily exists to serve Twisted: in most situations Requests can get by with using the stdlib thanks to 2.7.9 fixing many problems, and as time marches on the spectrum of users that need PyOpenSSL for Requests is getting smaller and smaller. However, I agree that PyOpenSSL isn?t going anywhere, especially given that python-dev is reluctant to backport MemoryBIO. There does not appear to be any reason to assume that PyOpenSSL can be abandoned until after 2020 at the very earliest, especially as it may turn out that I need it for PEP 543 anyway. So I 100% agree that we need to find a way to transition maintainership. My proposal is to just formalize the position we already mostly have and say that PyOpenSSL has no single lead maintainer, but is co-maintained by the PyCA team. We can then discuss whether there is value in bringing in others to help spread the load around. This is already the de facto state of PyOpenSSL: we?d just be formalizing that position so we can remove your name from the ?maintainer? slot and try to reduce the amount of email you get. How does that sound? Cory From alex.gaynor at gmail.com Wed Jun 7 08:15:50 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Wed, 7 Jun 2017 08:15:50 -0400 Subject: [Cryptography-dev] pyOpenSSL In-Reply-To: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> References: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> Message-ID: I think agreeing that pyOpenSSL is maintained by the lot of us, poor decision makers, is the right move. +1. As you've both astutely highlighted, none of us really like pyOpenSSL, nor do we make much time for it. Are there things we can do to lower the maintenance burden for ourselves? At this point the X.509 layer in cryptography is complete, can we deprecate the one in pyOpenSSL? That'd let us kill a good deal of code, and really get pyOpenSSL down to just an SSL layer, which is all we care about anyways. Alex On Wed, Jun 7, 2017 at 4:39 AM, Cory Benfield wrote: > Hynek, > > Thanks for writing this email. For what it?s worth, I disagree with the > premise, but let?s just grant it and discuss the future of PyOpenSSL. > > I think it?s safe to say that everyone with the commit bit has pretty > lukewarm feelings towards PyOpenSSL. At this point it primarily exists to > serve Twisted: in most situations Requests can get by with using the stdlib > thanks to 2.7.9 fixing many problems, and as time marches on the spectrum > of users that need PyOpenSSL for Requests is getting smaller and smaller. > > However, I agree that PyOpenSSL isn?t going anywhere, especially given > that python-dev is reluctant to backport MemoryBIO. There does not appear > to be any reason to assume that PyOpenSSL can be abandoned until after 2020 > at the very earliest, especially as it may turn out that I need it for PEP > 543 anyway. So I 100% agree that we need to find a way to transition > maintainership. > > My proposal is to just formalize the position we already mostly have and > say that PyOpenSSL has no single lead maintainer, but is co-maintained by > the PyCA team. We can then discuss whether there is value in bringing in > others to help spread the load around. This is already the de facto state > of PyOpenSSL: we?d just be formalizing that position so we can remove your > name from the ?maintainer? slot and try to reduce the amount of email you > get. > > How does that sound? > > Cory > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cory at lukasa.co.uk Wed Jun 7 08:36:05 2017 From: cory at lukasa.co.uk (Cory Benfield) Date: Wed, 7 Jun 2017 13:36:05 +0100 Subject: [Cryptography-dev] pyOpenSSL In-Reply-To: References: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> Message-ID: <39E5B4D3-5684-4387-9448-BACE49351E1E@lukasa.co.uk> > On 7 Jun 2017, at 13:15, Alex Gaynor wrote: > > Are there things we can do to lower the maintenance burden for ourselves? At this point the X.509 layer in cryptography is complete, can we deprecate the one in pyOpenSSL? That'd let us kill a good deal of code, and really get pyOpenSSL down to just an SSL layer, which is all we care about anyways. Right now there aren?t any functions that let you convert to cryptography X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got those for the various X509 objects then I think that?d be a reasonable thing to do. Cory From ronf at timeheart.net Wed Jun 7 09:20:03 2017 From: ronf at timeheart.net (Ron Frederick) Date: Wed, 7 Jun 2017 06:20:03 -0700 Subject: [Cryptography-dev] pyOpenSSL In-Reply-To: <39E5B4D3-5684-4387-9448-BACE49351E1E@lukasa.co.uk> References: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> <39E5B4D3-5684-4387-9448-BACE49351E1E@lukasa.co.uk> Message-ID: <09C81B12-FB95-4796-8916-1176E6CAA52B@timeheart.net> On Jun 7, 2017, at 5:36 AM, Cory Benfield wrote: >> On 7 Jun 2017, at 13:15, Alex Gaynor wrote: >> >> Are there things we can do to lower the maintenance burden for ourselves? At this point the X.509 layer in cryptography is complete, can we deprecate the one in pyOpenSSL? That'd let us kill a good deal of code, and really get pyOpenSSL down to just an SSL layer, which is all we care about anyways. > > Right now there aren?t any functions that let you convert to cryptography X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got those for the various X509 objects then I think that?d be a reasonable thing to do. I recently started working on adding X.509 certificate support to AsyncSSH and after looking at the X.509 support in PyCA and being unaware of the history here, I reluctantly concluded that I might need to add PyOpenSSL as an additional dependency. While PyCA did have pretty good support for building X.509 certificates, it has a major hole with regard to verifying certificate chains, which is something I need. Before removing X.509 from PyOpenSSL, I really think that certificate chain validation needs to be added to PyCA. There?s an open issue on this already (https://github.com/pyca/cryptography/issues/2381 ) from back in 2015, but it looks like the work was never completed. -- Ron Frederick ronf at timeheart.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex.gaynor at gmail.com Wed Jun 7 09:25:35 2017 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Wed, 7 Jun 2017 09:25:35 -0400 Subject: [Cryptography-dev] pyOpenSSL In-Reply-To: <09C81B12-FB95-4796-8916-1176E6CAA52B@timeheart.net> References: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> <39E5B4D3-5684-4387-9448-BACE49351E1E@lukasa.co.uk> <09C81B12-FB95-4796-8916-1176E6CAA52B@timeheart.net> Message-ID: Great point. Alex On Jun 7, 2017 9:24 AM, "Ron Frederick" wrote: > On Jun 7, 2017, at 5:36 AM, Cory Benfield wrote: > > On 7 Jun 2017, at 13:15, Alex Gaynor wrote: > > Are there things we can do to lower the maintenance burden for ourselves? > At this point the X.509 layer in cryptography is complete, can we deprecate > the one in pyOpenSSL? That'd let us kill a good deal of code, and really > get pyOpenSSL down to just an SSL layer, which is all we care about anyways. > > > Right now there aren?t any functions that let you convert to cryptography > X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got > those for the various X509 objects then I think that?d be a reasonable > thing to do. > > > I recently started working on adding X.509 certificate support to AsyncSSH > and after looking at the X.509 support in PyCA and being unaware of the > history here, I reluctantly concluded that I might need to add PyOpenSSL as > an additional dependency. While PyCA did have pretty good support for > building X.509 certificates, it has a major hole with regard to verifying > certificate chains, which is something I need. > > Before removing X.509 from PyOpenSSL, I really think that certificate > chain validation needs to be added to PyCA. There?s an open issue on this > already (https://github.com/pyca/cryptography/issues/2381) from back in > 2015, but it looks like the work was never completed. > -- > Ron Frederick > ronf at timeheart.net > > > > > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Fri Jun 9 17:19:35 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Fri, 09 Jun 2017 21:19:35 -0000 Subject: [Cryptography-dev] Failed: Cryptography (61858f36) Message-ID: <20170609211935.24164.28360@web02.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5540864/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From hs at ox.cx Sat Jun 10 02:40:30 2017 From: hs at ox.cx (Hynek Schlawack) Date: Sat, 10 Jun 2017 08:40:30 +0200 Subject: [Cryptography-dev] pyOpenSSL In-Reply-To: <39E5B4D3-5684-4387-9448-BACE49351E1E@lukasa.co.uk> References: <8A3C881F-3A67-4DD6-B09F-AF09804226A3@lukasa.co.uk> <39E5B4D3-5684-4387-9448-BACE49351E1E@lukasa.co.uk> Message-ID: >> Are there things we can do to lower the maintenance burden for ourselves? At this point the X.509 layer in cryptography is complete, can we deprecate the one in pyOpenSSL? That'd let us kill a good deal of code, and really get pyOpenSSL down to just an SSL layer, which is all we care about anyways. > > Right now there aren?t any functions that let you convert to cryptography X509 objects from PyOpenSSL ones or vice versa: only for keys. If we got those for the various X509 objects then I think that?d be a reasonable thing to do. FWIW, that was kind of my goal since Montreal2 but we never got around to it. Being able to deprecate x509 in pyOpenSSL obsolete it for plenty people. It?s still a non-trivial SMOP someone has to actually do. :| *** Regarding my sentiment that was echo?ed through this thread: pyOpenSSL needs a project lead that actually cares about it. The people currently involved (including myself) do it mostly out of obligation and for the greater good. Which is an unfortunate proposition for free labor. It would be nice if someone heavily invested in Twisted (since this is the only major remaining user ? or is there more?) would pick it up I guess? They?d at least have an intrinsic interest in improving matters. Our interest is to change as little so people don?t yell at us because we broke something. From readthedocs at readthedocs.org Mon Jun 26 21:08:36 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Tue, 27 Jun 2017 01:08:36 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170627010836.31866.21498@web02.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5612714/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From readthedocs at readthedocs.org Mon Jun 26 21:07:51 2017 From: readthedocs at readthedocs.org (Read the Docs) Date: Tue, 27 Jun 2017 01:07:51 -0000 Subject: [Cryptography-dev] Failed: Cryptography (latest) Message-ID: <20170627010751.8082.41151@web03.servers.readthedocs.org> Build Failed for Cryptography (latest) You can find out more about this failure here: https://readthedocs.org/projects/cryptography/builds/5612713/ If you have questions, a good place to start is the FAQ: https://docs.readthedocs.org/en/latest/faq.html Keep documenting, Read the Docs -- http://readthedocs.org -------------- next part -------------- An HTML attachment was scrubbed... URL: