Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FSSDK-10317] Remove PyOpenSSL and cryptography from requirements #435

Merged
merged 1 commit into from
Jun 25, 2024
Merged

[FSSDK-10317] Remove PyOpenSSL and cryptography from requirements #435

merged 1 commit into from
Jun 25, 2024

Conversation

Mat001
Copy link
Contributor

@Mat001 Mat001 commented Jun 25, 2024

Summary

PyOpenSSL and cryptography packages are no longer required and can potentially introduce a security risk as pointed out by PeterJCLaw in his reported GitHub issue.

Sdk used to use requests extra option requests[security] that included PyOpenSSL and cryptography packages to enhance SSL/TLS support, particularly for older versions of Python that lacked certain security features.

The requests[security] extra was officially deprecated in version 2.25.0 of the requests library, released on November 11, 2020. The deprecation notice indicated that this extra would be removed in version 2.26.0. The primary reason for deprecation was the improved native SSL/TLS support in modern Python versions, making the extra dependencies redundant.

Based on the above we replaced requests[security] with its components including PyOpenSSL and cryptography. But it looks like we didn't need to do so.

According to research, users are now encouraged to rely on the native SSL/TLS support provided by Python's standard library. The requests library itself continues to support secure HTTP requests (HTTPS) out of the box, leveraging the built-in ssl module in Python.

We removed Py v2.x and some older Py 3.x versions and so we can now use native SSL/TLS support in modern Python versions we're using. If all tests are passing then PyOpenSSL and cyptography can be safely removed.

Test plan

  • local unit test passing
  • PR check passing specifically full stack compatibility test suite must pass as it has the most comprehensive test coverage

Issues

@Mat001 Mat001 requested a review from a team as a code owner June 25, 2024 17:22
@Mat001 Mat001 self-assigned this Jun 25, 2024
@Mat001 Mat001 changed the title remove two modules from core requirements [FSSDK-10317] Remove PyOpenSSL and cryptography from requirements Jun 25, 2024
jaeopt
jaeopt approved these changes Jun 25, 2024
View reviewed changes
Copy link
Contributor

@jaeopt jaeopt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Mat001 Mat001 merged commit 5caf9a5 into master Jun 25, 2024
25 checks passed
@Mat001 Mat001 deleted the mpirnovar-redundant-packages branch June 25, 2024 19:44
@Mat001 Mat001 restored the mpirnovar-redundant-packages branch June 25, 2024 19:53
@Mat001 Mat001 mentioned this pull request Jun 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jaeopt jaeopt jaeopt approved these changes

@andrewleap-optimizely andrewleap-optimizely andrewleap-optimizely approved these changes

Assignees

@Mat001 Mat001

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Mat001 @jaeopt @andrewleap-optimizely