I copied the python-crypto maintainers alias on this message, as well as the maintainer aliases for the four packages that depend on it. This message is just a quick analysis of what depends on python-crypto/PyCrypto, and what it might take to retire the package if that’s desired. Other than dropping the BuildRequires in python-keyrings-alt, as described below, I’m not planning to do any further work on this.

The same upstream as pycryptodomex[1] also provides pycryptodome[2], a maintained “almost drop-in” replacement for PyCrypto – so we could package that if we need to, although it looks like most packages have moved on to pycryptodomex or other crypto libraries, and there are few enough dependent packages that retirement looks like it could be feasible.

$ fedrq wrsrc -s python-crypto
calibre-7.16.0-1.fc41.src
python-beaker-1.12.1-7.fc41.src
python-keyrings-alt-5.0.1-4.fc41.src
python-pyaes-1.6.1-24.fc41.src

The python-keyrings-alt dependency can certainly be removed – it is just a set of integration tests for one of several supported crypto libraries. I was working on an update to 5.0.2 for this package, and I added a commit to propose dropping the PyCrypto/pycryptodome tests in a follow-up commit[3].

I am not sure about calibre – it seems like there might be some confusing magic going on in that package. It is possible to build calibre by removing the BuildRequires on python3dist(pycrypto) and skipping test_pycryptodome, but I am not sure if that is really safe to do or not. Maintainer input would be useful here.

It looks like python-crypto is only a test dependency for python-pyaes, but it’s required for the sole test module – so it would be necessary to stop running tests, or patch the tests to use another reference implementation, like pycryptodomex.

I haven’t investigated python-beaker closely, but it looks like PyCrypto might be just one of several supported crypto backends, which suggests the dependency could probably be removed here too.

[1] https://github.com/Legrandin/pycryptodome/

[2] https://pypi.org/project/pycryptodome/

[3] https://src.fedoraproject.org/fork/packit/rpms/python-keyrings-alt/c/dd05544102a93f93c0f75eff7a7b550c2b767000

On 8/14/24 2:10 PM, Maxwell G wrote:

On 8/14/24 12:51 PM, Miro Hrončok wrote:

There might also be packages using tox with a tox.ini like this one:
https://github.com/pycrypto/pycrypto/blob/master/tox.ini
Can we retire that package? The project's README says:

PyCrypto 2.x is unmaintained, obsolete, and contains security vulnerabilities.