[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-packaging
Subject:    Re: [opensuse-packaging] pycrypro unmaintained, what to do about fork pycryptodome
From:       Hans-Peter Jansen <hpj () urpla ! net>
Date:       2017-11-11 14:11:13
Message-ID: 1596753.8kGr9mjlfR () xrated
[Download RAW message or body]

On Donnerstag, 2. November 2017 10:01:51 Todd Rme wrote:
> pycrypro [1] is an important package, used by a wide variety of python
> packages for cryptography. It is also totally unmaintained, having
> seen no releases or commits since 2014.
> 
> There is a well-maintained fork that uses the same namespace,
> pycryptodome [2].  However, although it is the same in most cases,
> there are a few places where the API differs [3].  And although it is
> mostly backwards-compatible, it is not forwards-compatible, adding a
> bunch of new APIs that packages that depend on it directly may use.
> 
> The problem is that more and more packages are now depending directly
> on pycroptodome rather than pycrypto at install time, and since the
> two use the same namespace they are not co-installable, so trying to
> install a package that depends on it results in conflicts with large
> parts of the python software stack.

Well, pycryptodome comes in two flavours, one sharing the namespace with 
pycrypto, and one stand alone one.

> So we need to make a decision how we are going to handle the situation.
> 
> The simplest, but also riskiest, solution would be to have the
> pycroptodome package provide/obsolete pycrypto, and have package that
> require the old API depend on the old pycrypto version number (so
> pycrypto < 3).  But I doubt all of these packages have unit tests,
> which means we could have breakage.

Given, that the majority of incompatibilities have security implications, I 
vote for the simplest solution, that I do follow since I entered the 
pyCryptodome train...

I.o.w, the fallout must be fixed or abandoned anyway...
 
Cheers,
Pete
-- 
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]