Skip to content

Handle cryptography #2372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Bibo-Joshi opened this issue Feb 9, 2021 · 3 comments · Fixed by #2386
Closed

Handle cryptography #2372

Bibo-Joshi opened this issue Feb 9, 2021 · 3 comments · Fixed by #2386
Labels
⚙️ security affected functionality: security

Comments

@Bibo-Joshi
Copy link
Member

seems like #2370 was too short-sighted as

We'll need to check out

  • How this affects our building process
  • How we can reasonably protect our users from install problems. Mind you, installation problems of 3rd party deps is not fully our problem, but if the majority of our users can't install it, then our package is worthless.

One could just pin cryptography to < 3.4 for starters and just wait a bit until the dust settles …
@Bibo-Joshi Bibo-Joshi added the ⚙️ security affected functionality: security label Feb 9, 2021
@Bibo-Joshi
Copy link
Member Author

PS: RTD might be easy to fix with the V2 configuration file, which allows to install via pip instead of setup.py. Still we'll have to check out, if our release process or building from source process is affected.

@Poolitzer Telegram GithubBot Revised
Copy link
Member

@Bibo-Joshi +1 for requiring lower version for the time being, we could release this together with the default fix as a Hotifx, then take care of a good long time solution

@tsnoam Telegram GithubBot Revised
Copy link
Member

tsnoam commented Feb 9, 2021

@Bibo-Joshi My vote is to pin on a lower version.

As long as it doesn't have known security vulnerabilities.

This was referenced Feb 9, 2021
Closed
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Feb 15, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
⚙️ security affected functionality: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make cryptography optional python-telegram-bot/python-telegram-bot
3 participants
@tsnoam @Bibo-Joshi @Poolitzer