While automating a clean system install I came across the following:
I install
sudo apt-get -y install libssl-dev libffi-dev
pip install pyopenssl
pip install service_identity
And then later on I do a
pip install identity-toolkit-python-client
This last command results in
Installing collected packages: httplib2, rsa, oauth2client, pyOpenSSL, simplejson, identity-toolkit-python-client
Found existing installation: pyOpenSSL 0.15.1
Uninstalling pyOpenSSL-0.15.1:
Successfully uninstalled pyOpenSSL-0.15.1
Successfully installed httplib2-0.9.2 identity-toolkit-python-client-0.1.7 oauth2client-1.5.1 pyOpenSSL-0.14 rsa-3.2 simplejson-3.8.1
Doing a
import OpenSSL
OpenSSL.version.__version__
prints out 0.14
Is there a specific reason why
install_requires = [
'oauth2client>=1.3.2',
'pyOpenSSL==0.14',
'simplejson>=2.3.2',
]
it is locked to version 14 in https://github.com/google/identity-toolkit-python-client/blob/master/setup.py?
Could this become a security issue for the system?
Thank you for raising the question Daniel. The fixed was submitted to github just now.