pycrypro unmaintained, what to do about fork pycryptodome

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

pycrypro unmaintained, what to do about fork pycryptodome

todd rme
pycrypro [1] is an important package, used by a wide variety of python
packages for cryptography. It is also totally unmaintained, having
seen no releases or commits since 2014.

There is a well-maintained fork that uses the same namespace,
pycryptodome [2].  However, although it is the same in most cases,
there are a few places where the API differs [3].  And although it is
mostly backwards-compatible, it is not forwards-compatible, adding a
bunch of new APIs that packages that depend on it directly may use.

The problem is that more and more packages are now depending directly
on pycroptodome rather than pycrypto at install time, and since the
two use the same namespace they are not co-installable, so trying to
install a package that depends on it results in conflicts with large
parts of the python software stack.

So we need to make a decision how we are going to handle the situation.

The simplest, but also riskiest, solution would be to have the
pycroptodome package provide/obsolete pycrypto, and have package that
require the old API depend on the old pycrypto version number (so
pycrypto < 3).  But I doubt all of these packages have unit tests,
which means we could have breakage.

The most difficult solution would be to manually check each package
for compatibility with pycryptodome and switch to it explicitly.

The intermediate solution would be to have pycrypto and pycryptodome
provide some other name, and have the packages depend on that name but
prefer pycrypto.  This means, however, that installing a package that
requires pycryptodome specifically could suddenly cause packages you
installed previously to break.

We ran into a similar situation with the PIL/Pillow fork, but that had
the issue where PIL never supported python3, and at least at the time
more care seemed to be taken to maintain backwards-compatibility.

1: https://pypi.python.org/pypi/pycrypto/
2: https://pypi.python.org/pypi/pycryptodome/
3: https://www.pycryptodome.org/en/latest/src/vs_pycrypto.html
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: pycrypro unmaintained, what to do about fork pycryptodome

Hans-Peter Jansen-2
On Donnerstag, 2. November 2017 10:01:51 Todd Rme wrote:

> pycrypro [1] is an important package, used by a wide variety of python
> packages for cryptography. It is also totally unmaintained, having
> seen no releases or commits since 2014.
>
> There is a well-maintained fork that uses the same namespace,
> pycryptodome [2].  However, although it is the same in most cases,
> there are a few places where the API differs [3].  And although it is
> mostly backwards-compatible, it is not forwards-compatible, adding a
> bunch of new APIs that packages that depend on it directly may use.
>
> The problem is that more and more packages are now depending directly
> on pycroptodome rather than pycrypto at install time, and since the
> two use the same namespace they are not co-installable, so trying to
> install a package that depends on it results in conflicts with large
> parts of the python software stack.

Well, pycryptodome comes in two flavours, one sharing the namespace with
pycrypto, and one stand alone one.

> So we need to make a decision how we are going to handle the situation.
>
> The simplest, but also riskiest, solution would be to have the
> pycroptodome package provide/obsolete pycrypto, and have package that
> require the old API depend on the old pycrypto version number (so
> pycrypto < 3).  But I doubt all of these packages have unit tests,
> which means we could have breakage.

Given, that the majority of incompatibilities have security implications, I
vote for the simplest solution, that I do follow since I entered the
pyCryptodome train...

I.o.w, the fallout must be fixed or abandoned anyway...
 
Cheers,
Pete
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]