Opened 4 years ago

Closed 4 years ago

#25844 closed task (fixed)

Remove package pycrypto

Reported by: slelievre Owned by:
Priority: critical Milestone: sage-8.4
Component: packages: standard Keywords: remove, package, pycrypto
Cc: arojas, chapoton, cschwan, embray, fbissey, gh-timokau, infinity0, novoselt, pcpa, saraedum, schilly, slelievre, strogdon, thansen, tmonteil, vbraun, was Merged in:
Authors: Erik Bray Reviewers: Thierry Monteil
Report Upstream: N/A Work issues:
Branch: b6aa427 (Commits, GitHub, GitLab) Commit: b6aa427621291c1956866c834bbc9473f6c480e8
Dependencies: Stopgaps:

Status badges

Description

In short: pycrypto is no longer maintained, but also no longer used in Sage.

We should stop shipping it.

If needed, pycryptodome could serve as a replacement.

More detail below.


In this sage-packaging discussion, François Bissey, who maintains Sage-on-Gentoo, reports that

pycrypto is dead upstream and contains unfixed security bugs.

and considers removing it for Gentoo.

Antonio Rojas, who packages Sage for Arch Linux, says it was already removed from Arch Linux:

AFAIK pycrypto wasn't used by sagenb itself, but only via twisted, and they switched to cryptography in 16.0 [1]. Anyhow, secure sagenb works fine here without pycrypto.

The latest pycrypto on PyPI is release 2.6.1 from 17 Oct 2013.

This message from Fri 21 Jul 2017 19:21:01 UTC on the pycrypto mailing list reads:

As this project hasn't seen commits on master (or perhaps any branch) in over three years, it appears to be dead.

However, pycryptodome is alive and well! It's a fork off the latest pycrypto and contains many bugfixes, enhancements. Most importantly, it's an ongoing project.

https://github.com/Legrandin/pycryptodome

https://www.pycryptodome.org/

There are two ways to install it: for a seamless experience I recommend uninstalling pycrypto (if present) and installing pycryptodome.

(pycryptodomex has its uses for some, but would mean editing your imports, whereas pycryptodome is a drop-in replacement for pycrypto.)

If you have issues with installing or using pycryptodome, there are resources there to guide you and an active issue tracker as well.

Change History (13)

comment:1 Changed 4 years ago by embray

+1 I don't think we should even provide a replacement. There shouldn't be packages in Sage-the-distribution that aren't even used by Sage, directly or indirectly.

comment:2 Changed 4 years ago by embray

It would be nice if we could do this for 8.3 since it will help packagers.

comment:3 follow-ups: Changed 4 years ago by gh-timokau

Grepping through my source tree: I have pycrypto listed as a dependency of python-openid, which is a dependency of sagenb. Is that the dependency that is not actually used?

comment:4 Changed 4 years ago by embray

  • Authors set to Erik Bray
  • Branch set to u/embray/ticket-25844
  • Commit set to 5ca84d8753c48ff9440536e2565fdf42a79a54bf
  • Priority changed from major to critical
  • Status changed from new to needs_review

New commits:

5ca84d8remove pycrypto; it is no longer maintained upstream, nor is it used by sage or any of its dependencies

comment:5 in reply to: ↑ 3 Changed 4 years ago by embray

Replying to gh-timokau:

Grepping through my source tree: I have pycrypto listed as a dependency of python-openid, which is a dependency of sagenb. Is that the dependency that is not actually used?

It's an optional dependency, and I think we're actually removing openid from sagenb as well, since it no longer works on Python 3.

comment:6 Changed 4 years ago by tmonteil

  • Branch changed from u/embray/ticket-25844 to u/tmonteil/ticket-25844

comment:7 Changed 4 years ago by tmonteil

  • Commit changed from 5ca84d8753c48ff9440536e2565fdf42a79a54bf to b6aa427621291c1956866c834bbc9473f6c480e8
  • Reviewers set to Thierry Monteil

It is OK for me, you just forgot to remove the licensing informations about pycrypto. If you agree with this trivial change, you can set the ticket to positive_review.


New commits:

b6aa427#25844 : remove pycrypto information from COPYING.txt

comment:8 Changed 4 years ago by gh-timokau

If it wasn't used in sage in the first place and just stuff in build is modified, it shouldn't make a difference to packagers either way. We (at least I and pretty sure the others too) don't use anything from build/pkgs.

That doesn't mean I have anything against including this in 8.3, just clarifying.

comment:9 in reply to: ↑ 3 Changed 4 years ago by fbissey

Replying to gh-timokau:

Grepping through my source tree: I have pycrypto listed as a dependency of python-openid, which is a dependency of sagenb. Is that the dependency that is not actually used?

Well in Gentoo python-openid doesn't depend on it. May be it is an optional runtime dependency? In any case I am all for removing it now. Shaves a few bytes from the release tarball, smaller build/pkg folder what's not to love :)

comment:10 Changed 4 years ago by gh-timokau

Yeah I agree. In nix the python-openid package wasn't accepted into the main tree anyways. It is only used as a dependency for sage(nb), since it has the same problem pycrypto has (unmaintained, known problems).

comment:11 Changed 4 years ago by embray

  • Status changed from needs_review to positive_review

I even meant to check COPYING.txt but got distracted and forgot at the last second.

comment:12 Changed 4 years ago by vdelecroix

  • Milestone changed from sage-8.3 to sage-8.4

update milestone 8.3 -> 8.4

comment:13 Changed 4 years ago by vbraun

  • Branch changed from u/tmonteil/ticket-25844 to b6aa427621291c1956866c834bbc9473f6c480e8
  • Resolution set to fixed
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.