Drop upper bounds on cryptography and pyopenssl#802
Open
hauntsaninja wants to merge 1 commit intooracle:masterfrom
Open
Drop upper bounds on cryptography and pyopenssl#802hauntsaninja wants to merge 1 commit intooracle:masterfrom
hauntsaninja wants to merge 1 commit intooracle:masterfrom
Conversation
These are security critical dependencies. Bounds here limit people's ability to respond to vulnerabilities. See also https://iscinumpy.dev/post/bound-version-constraints/
|
Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application. When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated. If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public. |
oracle-contributor-agreement
bot
added
the
OCA Required
|
See also #805 |
akx
added a commit
to akx/oci-python-sdk
that referenced
this pull request
Mar 18, 2026
The only place where `OpenSSL` is used is via an indirect dependency from `urllib3.contrib.pyopenssl`, which itself is only used when the Python built-in SSL module doesn't support SNI (Server Name Indication). That module itself is only imported via the vendored `requests` init, _iff_ `ssl.HAS_SNI` is `False`, or as an optional import in vendored `requests.help` (which is never imported by code; in the original `requests` library, it's supposed to be run as a command-line module, but it's unlikely `python -m oci._vendor.requests.help` is a real use case). The `urllib3.contrib.pyopenssl` module's docstring says: > This module was relevant before the standard library ``ssl`` > module supported SNI, but now that we've dropped support for > Python 2.7 all relevant Python versions support SNI so > **this module is no longer recommended**. This is related to oracle#802; right now there are upper version pins on `pyOpenSSL`, which prevent downstream users from upgrading to e.g. non-vulnerable versions of that library downstream. Signed-off-by: Aarni Koskela <akx@iki.fi>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
These are security critical dependencies. Bounds here limit people's ability to respond to vulnerabilities.
See also #700 #692 #681 #618 #568 #548 #515
See also https://iscinumpy.dev/post/bound-version-constraints/