[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-factory
Subject:    [opensuse-factory] pycrypro unmaintained, what to do about fork pycryptodome
From:       Todd Rme <toddrme2178 () gmail ! com>
Date:       2017-11-02 14:01:51
Message-ID: CADb7s=uViQ6RJiFRj1x+uxQ5cWR8vHoQjjqAgb7WqBujm9C=6w () mail ! gmail ! com
[Download RAW message or body]

pycrypro [1] is an important package, used by a wide variety of python
packages for cryptography. It is also totally unmaintained, having
seen no releases or commits since 2014.

There is a well-maintained fork that uses the same namespace,
pycryptodome [2].  However, although it is the same in most cases,
there are a few places where the API differs [3].  And although it is
mostly backwards-compatible, it is not forwards-compatible, adding a
bunch of new APIs that packages that depend on it directly may use.

The problem is that more and more packages are now depending directly
on pycroptodome rather than pycrypto at install time, and since the
two use the same namespace they are not co-installable, so trying to
install a package that depends on it results in conflicts with large
parts of the python software stack.

So we need to make a decision how we are going to handle the situation.

The simplest, but also riskiest, solution would be to have the
pycroptodome package provide/obsolete pycrypto, and have package that
require the old API depend on the old pycrypto version number (so
pycrypto < 3).  But I doubt all of these packages have unit tests,
which means we could have breakage.

The most difficult solution would be to manually check each package
for compatibility with pycryptodome and switch to it explicitly.

The intermediate solution would be to have pycrypto and pycryptodome
provide some other name, and have the packages depend on that name but
prefer pycrypto.  This means, however, that installing a package that
requires pycryptodome specifically could suddenly cause packages you
installed previously to break.

We ran into a similar situation with the PIL/Pillow fork, but that had
the issue where PIL never supported python3, and at least at the time
more care seemed to be taken to maintain backwards-compatibility.

1: https://pypi.python.org/pypi/pycrypto/
2: https://pypi.python.org/pypi/pycryptodome/
3: https://www.pycryptodome.org/en/latest/src/vs_pycrypto.html
-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]