Skip to content

Add PyCryptodome to import blacklists #307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2018
Merged

Add PyCryptodome to import blacklists #307

merged 1 commit into from
May 16, 2018

Conversation

warthog9
Copy link
Contributor

PyCryptodome is a direct fork of PyCrypto, and is generally
considered to not be the replacement for it. It is recommended
that projects move to pyca/cryptography instead, as this may be
exposing folks to the same inherent issues that PyCrypto was
deprecated because of.

Signed-off-by: John 'Warthog9' Hawley warthog9@eaglescrag.net
Signed-off-by: John 'Warthog9' Hawley jhawley@vmware.com
Signed-off-by: Terri Oda terri.oda@intel.com

@ericwb
Copy link
Member

ericwb commented May 16, 2018

Good catch. We already had blacklisted calls of pycryptodome weak hashes and ciphers, but didn't blacklist the imports themselves. Pycrypto was recently completely blacklisted as an import, so pycryptodome should have been done at the same time.

ericwb
ericwb requested changes May 16, 2018
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just missing one change to the readme to include 414 in the list. Actually 413 is missing too, but I'll address in a separate patch. We used to have a unit test to verify the readme, but that appears to be broken unfortunately.

@warthog9
Add PyCryptodome to import blacklists
f047fda 
PyCryptodome is a direct fork of PyCrypto, and is generally
considered to not be the replacement for it.  It is recommended
that projects move to pyca/cryptography instead, as this may be
exposing folks to the same inherent issues that PyCrypto was
deprecated because of.

Signed-off-by: John 'Warthog9' Hawley <warthog9@eaglescrag.net>
Signed-off-by: John 'Warthog9' Hawley <jhawley@vmware.com>
Signed-off-by: Terri Oda <terri.oda@intel.com>
@warthog9 warthog9 force-pushed the b413_pycryptodome branch from 2e80d97 to f047fda Compare May 16, 2018 12:53
@warthog9
Copy link
Contributor Author

Rebased, added B414 to README.rst

@ericwb ericwb merged commit 1c716be into PyCQA:master May 16, 2018
@eloquence eloquence mentioned this pull request May 16, 2018
Closed
@redshiftzero redshiftzero mentioned this pull request May 23, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericwb ericwb ericwb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@warthog9 @ericwb