I copied the python-crypto maintainers alias on this message, as well as
the maintainer aliases for the four packages that depend on it. This
message is just a quick analysis of what depends on
python-crypto/PyCrypto, and what it might take to retire the package if
that’s desired. Other than dropping the BuildRequires in
python-keyrings-alt, as described below, I’m not planning to do any
further work on this.
The same upstream as pycryptodomex[1] also provides pycryptodome[2], a
maintained “almost drop-in” replacement for PyCrypto – so we could
package that if we need to, although it looks like most packages have
moved on to pycryptodomex or other crypto libraries, and there are few
enough dependent packages that retirement looks like it could be feasible.
$ fedrq wrsrc -s python-crypto
calibre-7.16.0-1.fc41.src
python-beaker-1.12.1-7.fc41.src
python-keyrings-alt-5.0.1-4.fc41.src
python-pyaes-1.6.1-24.fc41.src
The python-keyrings-alt dependency can certainly be removed – it is just
a set of integration tests for one of several supported crypto
libraries. I was working on an update to 5.0.2 for this package, and I
added a commit to propose dropping the PyCrypto/pycryptodome tests in a
follow-up commit[3].
I am not sure about calibre – it seems like there might be some
confusing magic going on in that package. It is possible to build
calibre by removing the BuildRequires on python3dist(pycrypto) and
skipping test_pycryptodome, but I am not sure if that is really safe to
do or not. Maintainer input would be useful here.
It looks like python-crypto is only a test dependency for python-pyaes,
but it’s required for the sole test module – so it would be necessary to
stop running tests, or patch the tests to use another reference
implementation, like pycryptodomex.
I haven’t investigated python-beaker closely, but it looks like PyCrypto
might be just one of several supported crypto backends, which suggests
the dependency could probably be removed here too.
[1] https://github.com/Legrandin/pycryptodome/
[2] https://pypi.org/project/pycryptodome/
[3]
https://src.fedoraproject.org/fork/packit/rpms/python-keyrings-alt/c/dd05544102a93f93c0f75eff7a7b550c2b767000
On 8/14/24 2:10 PM, Maxwell G wrote:
On 8/14/24 12:51 PM, Miro Hrončok wrote:
There might also be packages using tox with a tox.ini like this one:
https://github.com/pycrypto/pycrypto/blob/master/tox.ini
Can we retire that package? The project's README says:
*PyCrypto 2.x is unmaintained, obsolete, and contains security
vulnerabilities.*
--
_______________________________________________
python-devel mailing list -- python-devel@lists.fedoraproject.org
To unsubscribe send an email to python-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
