From rodneywmcbride at protonmail.com  Mon Oct  3 11:49:48 2022
From: rodneywmcbride at protonmail.com (Rodney McBride)
Date: Mon, 03 Oct 2022 15:49:48 +0000
Subject: [Cryptography-dev] Quick Question
Message-ID: <ZN4OhyQBzTZKUGCIlY2SaAMy0B1c2CYqDrP2AuZV0ewvVrmYg3ItsvyL0xLb__3QiE3pvXaYIaCAWQCAU4jN9-JgSHhSOBbkhlqkzYUIbFs=@protonmail.com>

Is there a plan to get the cryptography package updated to v39 on PyPI?

The reason I ask is because all versions of cryptography below v39 have been flagged by the Safety DB module due to the LibreSSL security vulnerability.

Thanks,

Rodney McBride, Veteran, [Cybersecurity Analyst](https://www.credly.com/badges/9c16f971-4465-4d7d-99ba-beb6a501ee06), [Security Analytics Professional](https://www.credly.com/users/rodney-mcbride/badges), [Security+](https://www.youracclaim.com/badges/b48fbf86-4137-455e-b7c8-4a2a576b8c6f/linked_in_profile)

Sent with [Proton Mail](https://proton.me/) secure email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20221003/ea9beaa7/attachment.html>

From alex.gaynor at gmail.com  Mon Oct  3 12:10:26 2022
From: alex.gaynor at gmail.com (Alex Gaynor)
Date: Mon, 3 Oct 2022 12:10:26 -0400
Subject: [Cryptography-dev] Quick Question
In-Reply-To: <ZN4OhyQBzTZKUGCIlY2SaAMy0B1c2CYqDrP2AuZV0ewvVrmYg3ItsvyL0xLb__3QiE3pvXaYIaCAWQCAU4jN9-JgSHhSOBbkhlqkzYUIbFs=@protonmail.com>
References: <ZN4OhyQBzTZKUGCIlY2SaAMy0B1c2CYqDrP2AuZV0ewvVrmYg3ItsvyL0xLb__3QiE3pvXaYIaCAWQCAU4jN9-JgSHhSOBbkhlqkzYUIbFs=@protonmail.com>
Message-ID: <CAFRnB2XPkVYhDLJsfnqEF9U3sxWdmBCEggxeyETTknRn7bkL5w@mail.gmail.com>

No, there is no plan to issue a 39 release shortly.

This complaint should be directed at the Safety DB. There is no
LibreSSL vulnerability, they are confused.
https://github.com/pyupio/safety/issues/413

Alex

On Mon, Oct 3, 2022 at 12:09 PM Rodney McBride via Cryptography-dev
<cryptography-dev at python.org> wrote:
>
> Is there a plan to get the cryptography package updated to v39 on PyPI?
>
> The reason I ask is because all versions of cryptography below v39 have been flagged by the Safety DB module due to the LibreSSL security vulnerability.
>
>
> Thanks,
>
> Rodney McBride, Veteran, Cybersecurity Analyst, Security Analytics Professional, Security+
>
> Sent with Proton Mail secure email.
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev



-- 
All that is necessary for evil to succeed is for good people to do nothing.

From simtiaz at ncsu.edu  Wed Oct  5 11:26:41 2022
From: simtiaz at ncsu.edu (simtiaz at ncsu.edu)
Date: Wed, 05 Oct 2022 15:26:41 -0000
Subject: [Cryptography-dev] Is this "pyopenssl" update code reviewed?
Message-ID: <b5db16e76a5f236f665d537440734655@yagmail>

        <html>        <head></head>        <body>            <p>Hi,<br><br>            I am a PhD student from NC State University researching software supply chain security,            specifically the secure use of third-party open source packages.            As part of our research,            we have developed an update audit tool,            <a href="https://github.com/nasifimtiazohi/depdive">Depdive</a>,            that can analyze if the changes in a package update have passed through a code review process.            As part of an empirical evaluation, we studied the update            from version <b>17.5.0</b> to version <b>18.0.0</b> of your package            <a href="https://github.com/pyca/pyopenssl"><i>pyopenssl</i></a>.<br><br>            As per our analysis, the update consists of 9 new commits. We determined that all of the commits were reviewed by a second developer.            Details for each commit and the reasoning on how we determined            if a commit was reviewed are provided in the attached CSV file.<br><br>            We are reaching out to you as the maintainer(s) of <i>pyopenssl</i>,            to evaluate if you agree with our analysis.            We invite you to fill out <a href="https://forms.gle/LBwTcNs2tgHdHVwBA">this short <mark>survey</mark></a>            to provide your opinion.            The survey should take five minutes at the maximum.            Please also fill out the <mark>unique ID 15678</mark> for the update            discussed in this email to help us track responses.<br><br>            We thank you for maintaining a great open source package.            We would be grateful if you help our research            on how downstream users can use third-party packages, like yours,            securely in their supply chain.            Don't hesitate to contact me if you have any questions regarding this survey            or our research in general.            More details on our study can be found            in our <a href="https://arxiv.org/pdf/2206.09422.pdf">current paper draft</a>.<br><br>            Nasif Imtiaz<br>            PhD Student<br>            NC State University<br>            nasifimtiazohi.github.io</p>        </body>        </html>        
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20221005/c7fb211b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pyopenssl_commit_review_stats.csv
Type: text/csv
Size: 1450 bytes
Desc: not available
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20221005/c7fb211b/attachment.csv>

From paul.l.kehrer at gmail.com  Tue Oct 11 15:26:49 2022
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Tue, 11 Oct 2022 15:26:49 -0400
Subject: [Cryptography-dev] PyCA cryptography 38.0.2 released
Message-ID: <CABj5TKQsEMzED9EB37yxpuiH+_is3v4z8+-cvV+hLxzKxh9txQ@mail.gmail.com>

PyCA cryptography 38.0.2 has been released to PyPI. cryptography
includes both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 3.6+, and PyPy3.

Changelog (https://cryptography.io/en/latest/changelog/#v38-0-2):
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.

-Paul Kehrer (reaperhulk)

From alex.gaynor at gmail.com  Wed Oct 12 10:40:19 2022
From: alex.gaynor at gmail.com (Alex Gaynor)
Date: Wed, 12 Oct 2022 10:40:19 -0400
Subject: [Cryptography-dev] PyCA cryptography 38.0.2 yanked
Message-ID: <CAFRnB2VzF-uT1FgLMomD1Fs3Rq=hOemqmwTMyrNus8k50qcOjg@mail.gmail.com>

Yesterday, PyCA cryptography 38.0.2 was released to PyPI. Today, we
yanked the release from PyPI due to regressions in OpenSSL that led
the OpenSSL team  to withdraw OpenSSL 3.0.6 (which PyCA cryptography's
wheels include). We expect to issue a follow up release once the
OpenSSL team has released OpenSSL 3.0.7.

cryptography includes both high level recipes and low level interfaces
to common cryptographic algorithms such as symmetric ciphers,
asymmetric algorithms, message digests, X509, key derivation
functions, and much more. We support Python 3.6+, and PyPy3.

Alex
-- 
All that is necessary for evil to succeed is for good people to do nothing.