[opensuse-packaging] pycrypro unmaintained, what to do about fork pycryptodome
pycrypro [1] is an important package, used by a wide variety of python packages for cryptography. It is also totally unmaintained, having seen no releases or commits since 2014. There is a well-maintained fork that uses the same namespace, pycryptodome [2]. However, although it is the same in most cases, there are a few places where the API differs [3]. And although it is mostly backwards-compatible, it is not forwards-compatible, adding a bunch of new APIs that packages that depend on it directly may use. The problem is that more and more packages are now depending directly on pycroptodome rather than pycrypto at install time, and since the two use the same namespace they are not co-installable, so trying to install a package that depends on it results in conflicts with large parts of the python software stack. So we need to make a decision how we are going to handle the situation. The simplest, but also riskiest, solution would be to have the pycroptodome package provide/obsolete pycrypto, and have package that require the old API depend on the old pycrypto version number (so pycrypto < 3). But I doubt all of these packages have unit tests, which means we could have breakage. The most difficult solution would be to manually check each package for compatibility with pycryptodome and switch to it explicitly. The intermediate solution would be to have pycrypto and pycryptodome provide some other name, and have the packages depend on that name but prefer pycrypto. This means, however, that installing a package that requires pycryptodome specifically could suddenly cause packages you installed previously to break. We ran into a similar situation with the PIL/Pillow fork, but that had the issue where PIL never supported python3, and at least at the time more care seemed to be taken to maintain backwards-compatibility. 1: https://pypi.python.org/pypi/pycrypto/ 2: https://pypi.python.org/pypi/pycryptodome/ 3: https://www.pycryptodome.org/en/latest/src/vs_pycrypto.html -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Donnerstag, 2. November 2017 10:01:51 Todd Rme wrote:
pycrypro [1] is an important package, used by a wide variety of python packages for cryptography. It is also totally unmaintained, having seen no releases or commits since 2014.
There is a well-maintained fork that uses the same namespace, pycryptodome [2]. However, although it is the same in most cases, there are a few places where the API differs [3]. And although it is mostly backwards-compatible, it is not forwards-compatible, adding a bunch of new APIs that packages that depend on it directly may use.
The problem is that more and more packages are now depending directly on pycroptodome rather than pycrypto at install time, and since the two use the same namespace they are not co-installable, so trying to install a package that depends on it results in conflicts with large parts of the python software stack.
Well, pycryptodome comes in two flavours, one sharing the namespace with pycrypto, and one stand alone one.
So we need to make a decision how we are going to handle the situation.
The simplest, but also riskiest, solution would be to have the pycroptodome package provide/obsolete pycrypto, and have package that require the old API depend on the old pycrypto version number (so pycrypto < 3). But I doubt all of these packages have unit tests, which means we could have breakage.
Given, that the majority of incompatibilities have security implications, I vote for the simplest solution, that I do follow since I entered the pyCryptodome train... I.o.w, the fallout must be fixed or abandoned anyway... Cheers, Pete -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (2)
-
Hans-Peter Jansen
-
Todd Rme