pycryptodome icon indicating copy to clipboard operation
pycryptodome copied to clipboard
verified publisher icon Legrandin

Make importable from Crypto and Cryptodome by default

Open Evidlo opened this issue 3 years ago • 4 comments

Many modern packages depend on pycryptodome, which is recommended as the 'default' replacement for pycrypto.

As pycryptodome is a superset of the algorithms featured in pycrypto, it's important for these packages that we don't accidentally import pycrypto, otherwise things may break unexpectedly at runtime.

This is normally what pycryptodomex package is for. However, most distributions don't bother packaging it:

# Debian 11 Bullseye
[evan@blackbox ~] apt search cryptodomex
Sorting... Done
Full Text Search... Done

# Ubuntu 20.04
[evan@tikhonov ~] apt search cryptodomex
Sorting... Done
Full Text Search... Done

If use_separate_namespace is made True in setup.py, then the default package will provide both the Crypto and Cryptodome modules, obviating the need for pycryptodomex.

Evidlo avatar Apr 11 '22 21:04 Evidlo

Relevant issues in my packages: https://github.com/libkeepass/pykeepass/issues/302 https://github.com/libkeepass/pykeepass/pull/232

Evidlo avatar Apr 12 '22 05:04 Evidlo

Any thoughts on this?

Evidlo avatar May 24 '22 02:05 Evidlo

@Evidlo Simply making it available under two namespaces might be difficult, as it will not allow the parallel usage of PyCrtypto and Pycryotodome. I could imagine the following: The Pycryptodomex continues to exist as before, but Pycryptodome changes to be a simple shim depending on Pycryptodomex. This ensures the Cryptodome namespace will be always available.

Anyway I don't know if this is an issue at all. Debian does indeed use the Cryptodome namespace, as it was possible -- up to Debian 10 I think -- to install PyCrypto and Pycryptodome in parallel. On RedHat based systems, the package is already known as python(2|3|)-pycryptodomex which provides the Cryptodome namespace only as well.

Varbin avatar Jun 04 '22 12:06 Varbin

What is the valid use case of continuing to support parallel installation of PyCrypto? It is unmaintained since 2014, does not run correctly on multiple counts with modern versions of python, does not build at all with current versions of setuptools, has various security vulnerabilities which will never be fixed, and as of the beginning of this year, has received the first commits in nearly a decade... which are an update to the README pointing people at pycryptodome, followed by archiving the repository.

It's official. PyCrypto is so dead it's telling people that it is dead and should not be used. Victory has been achieved; all uses of import Crypto MUST be using cryptodome.

It makes sense to take over that import namespace, have both versions provide both imports, and make one of the PyPI names into a "legacy name".

eli-schwartz avatar Jun 07 '22 18:06 eli-schwartz