pycryptodome
pycryptodome copied to clipboard
Legrandin
Detect and warn on installation time, if an old `pycrypto` package is installed
Hi,
since a regular pattern of issues with pycryptodome seems to be an existing pycrypto package installation in this setup, would it be possible to warn the user about this fact, or even fail the installation?
I'm more active on the packaging front, where we typically solve this with a conflict/replacement.
Not sure how this is done best for pip and friends.
While the package metadata specification documents fields for that purpose, they are currently ignored by pip, if I'm not mistaken (see pypa/pip#4625). Nonetheless I think those fields should be set by Pycryptodome (in variant using the Crypto namespace).
For installations from sources, a check in the setup.py can to it - but as installations from wheels get more common, those would get ignored there.
If install-time checks are not possible, what about checking that during import-time, so it can be at least diagnosted easily?
While the package metadata specification documents fields for that purpose, they are currently ignored by pip, if I'm not mistaken (see pypa/pip#4625). Nonetheless I think those fields should be set by Pycryptodome (in variant using the Crypto namespace).
Yes, that would be a start. My humble guess, those fields will get more attention over time, and this project is a nice example for their usefulness (if handled correctly).
For installations from sources, a check in the setup time can to it - but as installations from wheels get more common, those would get ignored there.
Yes, sure.
If install-time checks are not possible, what about checking that during import-time, so it can be at least diagnosed easily?
I'm pretty sure, that Helder won't like that idea much and I don't either, because it penalizes the common usage for a historical artefact. If at all, the lifetime of such a check should be limited, and we could use the deprecation fw for it? Helder?
This is possible in setup.py:
try:
import pycrypto
### Issue warning or error message.
### Could have a dialog whether or not to continue.
except:
pass
I see no harm in a notification during installation. The person who did this intentionally will not care. The person who was unaware the pycrypto was inadvertently installed can remove it.
While the package metadata specification documents fields for that purpose, they are currently ignored by pip, if I'm not mistaken (see pypa/pip#4625). Nonetheless I think those fields should be set by Pycryptodome (in variant using the Crypto namespace).
Yes, that would be a start.
For installations from sources, a check in the setup time can to it - but as installations from wheels get more common, those would get ignored there.
Yes, sure.
If install-time checks are not possible, what about checking that during import-time, so it can be at least diagnosed easily?
I'm pretty sure, that Helder won't like this idea very much and neither do I (FWIW) because it penalizes general use for a historical artifact.
The good news is: there has been some progress in this regard recently: pip 20.3.