pycrypto

François Bissey

unread,

Jul 11, 2018, 8:18:25 PM7/11/18

to sage-packaging

Hi fellow packagers,

It has been brought to my attention this morning that pycrypto,
a sage dependency if you have openssl installed I think, is
dead upstream and contains unfixed security bugs.
There is a push to remove it from the gentoo main tree and have
people use the maintained fork pycryptodome.

Has any of you done that yet? Does sage even really use pycrypto
or is it really something that was necessary for the old sagenb?

Cheers,
François

Antonio Rojas

unread,

Jul 12, 2018, 3:10:43 AM7/12/18

to sage-packaging

El jueves, 12 de julio de 2018, 2:18:25 (UTC+2), Francois Bissey escribió:
> Has any of you done that yet? Does sage even really use pycrypto
> or is it really something that was necessary for the old sagenb?
>

Yes, we have. AFAIK pycrypto wasn't used by sagenb itself, but onlly via twisted, and they switched to cryptography in 16.0 [1]. Anyhow, secure sagenb works fine here without pycrypto.

[1] https://github.com/twisted/twisted/blob/trunk/NEWS.rst#twisted-conch-1600-2016-03-10

François Bissey

unread,

Jul 12, 2018, 3:14:07 AM7/12/18

to sage-packaging

Ha, twisted was what was using it. I am not sure when I inserted
it as a sage dependency in sage-on-gentoo but now it’s gone.
But sage itself still ships it.

François

Samuel Lelievre

unread,

Jul 12, 2018, 7:34:07 AM7/12/18

to sage-packaging

Thu 2018-07-12 07:14:07 UTC, Francois Bissey:

>
> Ha, twisted was what was using it. I am not sure when I inserted
> it as a sage dependency in sage-on-gentoo but now it’s gone.
> But sage itself still ships it.

I opened a ticket to remove it from Sage:

- Sage Trac ticket 25844
Remove package pycrypto
https://trac.sagemath.org/ticket/25844

Samuel

Reply all

Reply to author

Forward