From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: pycrypto buffer overflow (potentially affects onionshare and other packages) Date: Thu, 05 Jan 2017 11:39:58 +0100 Message-ID: <87bmvlvlhd.fsf@gnu.org> References: <20161226174344.GA10842@jasmine> <20161226180844.GA12367@jasmine> <20161227005405.GA13558@jasmine> <87k2adchzd.fsf@gnu.org> <20170103045947.GA13839@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58592) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cP5Sm-0003tX-Aw for guix-devel@gnu.org; Thu, 05 Jan 2017 05:40:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cP5Sj-0004ZF-49 for guix-devel@gnu.org; Thu, 05 Jan 2017 05:40:04 -0500 In-Reply-To: <20170103045947.GA13839@jasmine> (Leo Famulari's message of "Mon, 2 Jan 2017 23:59:47 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Court=C3=A8s wrote: >> Leo Famulari skribis: >> > Based on my discussion with the Stem maintainer, I removed pycrypto fr= om >> > the dependency graph of OnionShare and added a comment about removing >> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and >> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively. >>=20 >> Thanks. Looks like another case of an important piece of software >> lacking a maintainer=E2=80=A6 > > At this point, I think it's recommended to use the 'cryptography' > module, which we have as python-cryptography. This seems to be where all > the development energy is being spent. > > Debian adapted the upstream patch: > > https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id= =3D0de2243837ed369a086f15c50cca2be85bdfab9d > > What do people think? Maybe we should apply this patch as well as progressively migrate to python-cryptography whenever possible? Ludo=E2=80=99.