Skip to content

feat(security): add tink package to pypi #1473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vgrozdanic wants to merge 1 commit into from
Closed

feat(security): add tink package to pypi #1473

vgrozdanic wants to merge 1 commit into from

Conversation

@vgrozdanic
Copy link
Member

@vgrozdanic vgrozdanic commented Jun 5, 2025
edited
Loading

Adds tink package that will be used in a first iteration of EncryptedField in Sentry

Closes TET-582: Add tink package to sentry pypi

@vgrozdanic vgrozdanic requested review from mdtro and oioki June 5, 2025 10:50
@vgrozdanic vgrozdanic marked this pull request as ready for review June 5, 2025 10:50
asottile-sentry
asottile-sentry suggested changes Jun 5, 2025
View reviewed changes
Copy link
Contributor

@asottile-sentry asottile-sentry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as before, I really don't want us to use tink it is a huge maintenance liability and is significantly different from how most of the python community does things. #1375 (comment)

for example it alone would have delayed our python 3.13 upgrade by six months

@vgrozdanic
Copy link
Member Author

vgrozdanic commented Jun 5, 2025

as before, I really don't want us to use tink it is a huge maintenance liability and is significantly different from how most of the python community does things. #1375 (comment)

for example it alone would have delayed our python 3.13 upgrade by six months

I agree with you, but tink will be used only in the first iteration so that we can start working on this, cause there is bunch of other things to figure out around this. There is a plan to add support for tink primitives in cryptography library in parallel with this work, so that we can replace tink as soon as it lands into the cryptography library. That would be drop-in replacement for tink. This should be replaced with cryptography way before next Python release.

The other option would be to use custom library/wrapper around Fernet (written by us), which is less secure than tink, and we might not be aware of some problems with the way tink does serialization of data (i am not expecting any problems here, but it's hard to tell) and the way we handle the data across the system and in backups.

We can even delay GA of this, until we have a functioning version without tink as a dependency, in case this is still not present in cryptography by the time we want to upgrade Python, we can just rip tink off and do a Python upgrade

@asottile-sentry
Copy link
Contributor

asottile-sentry commented Jun 5, 2025

I'd rather we never introduce it at all. once it's available it's going to be nearly impossible to prevent / rip out.

@vgrozdanic
Copy link
Member Author

vgrozdanic commented Jun 5, 2025

Understandable, closing this then. We can start the work with other libraries, and switch to a newer version of cryptography once it is ready

@vgrozdanic vgrozdanic closed this Jun 5, 2025
@asottile-sentry asottile-sentry deleted the vgrozdanic/crypto-add-tink branch July 1, 2025 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oioki oioki Awaiting requested review from oioki

@mdtro mdtro Awaiting requested review from mdtro

1 more reviewer

@asottile-sentry asottile-sentry asottile-sentry requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vgrozdanic @asottile-sentry