Breaking change in cryptography

[reaperhulk]

Hey folks, I wanted to file this issue to discuss the impact of landing pyca/cryptography#6639 in an upcoming cryptography release. While these APIs have been deprecated for a long time, certbot itself only merged the change to stop using them 9 days ago in #9105. Do all officially supported versions of certbot pin cryptography or will landing this cause existing installations to break in some situations? We would strongly prefer not to cause you undue support burden, so we're willing to delay removal of these APIs based on your feedback. cc @bmw

[bmw]

Hey @reaperhulk. Thanks a lot for fixing the problem in Certbot and checking with us.

I think you all ideally wouldn't release this change until Certbot 1.22.0 is out containing your PR which we're planning to release on Tuesday, December 7th. The only installations that I can imagine breaking are people installing/upgrading using pip or Certbot installations on rolling release distros. This breakage wouldn't be a big deal so if it's a problem on your end, I think you should feel free to do a release, however, if you're all able to hold off on doing a release for 5 or so days I think we can largely/completely avoid problems here.

[reaperhulk]

5 days is no problem, we likely won’t release 37.0 until some time in January. I was thinking that if you had unpinned scenarios we could wait several months. If it’s really not a concern after the next release then we'll stick to the 37 schedule.

[bmw]

Sounds great. Thanks again.