0

While automating a clean system install I came across the following:

I install

sudo apt-get -y install libssl-dev libffi-dev
pip install pyopenssl
pip install service_identity

And then later on I do a

pip install identity-toolkit-python-client

This last command results in

Installing collected packages: httplib2, rsa, oauth2client, pyOpenSSL, simplejson, identity-toolkit-python-client
  Found existing installation: pyOpenSSL 0.15.1
    Uninstalling pyOpenSSL-0.15.1:
      Successfully uninstalled pyOpenSSL-0.15.1
Successfully installed httplib2-0.9.2 identity-toolkit-python-client-0.1.7 oauth2client-1.5.1 pyOpenSSL-0.14 rsa-3.2 simplejson-3.8.1

Doing a

import OpenSSL
OpenSSL.version.__version__

prints out 0.14

Is there a specific reason why

install_requires = [
  'oauth2client>=1.3.2',
  'pyOpenSSL==0.14',
  'simplejson>=2.3.2',
]

it is locked to version 14 in https://github.com/google/identity-toolkit-python-client/blob/master/setup.py?

Could this become a security issue for the system?

Daniel F
  • 13,684
  • 11
  • 87
  • 116
  • I would suggest raising an issue on GitHub for the project. I don't think there is a reason because the latest change to that dependency was just a commit called "Update dependencies" and it gives no reason for locking at 0.14. – skyler Nov 03 '15 at 18:40

1 Answers1

1

Thank you for raising the question Daniel. The fixed was submitted to github just now.

Jin Liu
  • 2,203
  • 15
  • 13
  • until pushed to pypi, `pip install -U https://github.com/google/identity-toolkit-python-client/archive/master.zip` does the job, which also retroactively uninstalls the 0.14 version so that everything is fine. – Daniel F Nov 04 '15 at 07:41
  • Just updated the library on PyPi, so `pip install identity-toolkit-python-client` should be okay now. – RevolutionTech Nov 04 '15 at 18:35