ElastAlert 2 builds are broken due to Stomp dependency

[jertel]

This issue is being raised to make others aware that the make test-docker is failing as of April 27, 2022. This is due to a PyOpenSSL dependency conflict caused by the Stomp package. That package (version 8.0.0) requires an older PyOpenSSL package, which is no longer compatible with the underlying cryptography library.

An issue has been raised on the Stomp GitHub project: jasonrbriggs/stomp.py#378

[johan-westin-private]

My workaround is to pin cryptography==36.0.2.

[nsano-rururu]

I think it is better to fix the version of the external library to >= with a version that works stably, check the operation, and then increase it.

[jertel]

There's been no response from the Stomp author for a couple days now. I'm curious if anyone has an opinion on whether this Stomp alerter needs to be continued. I see it was originally added to the ElastAlert project 6 years ago. But there has not been a single question about this alerter within our discussions. If no one is using it we should consider dropping it, at least temporarily until we see the Stomp project get some attention.

[nsano-rururu]

Sure, Stomp Alert doesn't remember seeing the question. He doesn't have to worry if he disappears temporarily.

[nsano-rururu]

@ferozsalam

What do you think?

[ferozsalam]

I don't have any issue with dropping it. Anecdotally, I don't know of anyone with an alerting pipeline that uses it. Presumably – if there is anyone – they will complain and we can reevaluate then.

[jertel]

Thanks for your input. I'll leave this as-is for a couple more days. If it's still not fixed I will remove Stomp so that we can get the next ElastAlert 2 release out.

[jertel]

The cryptography package maintainers decided to help us out. They've released a new version that restores the deleted symbols, so we can continue using Stomp 8.0.0 for now. They will remove it again in the future so we'll need to keep an eye out for a newer Stomp package. Closing this issue.