pycryptodome icon indicating copy to clipboard operation
pycryptodome copied to clipboard
verified publisher icon Legrandin

switch to system-wide libtomcrypt library

Open xambroz opened this issue 2 years ago • 1 comments

Hello, please would you consider switching to the system installed share library of libtomcrypt instead of embedding its code in this project?

There is libtom system package in major distributions: Fedora/EPEL - https://src.fedoraproject.org/rpms/libtomcrypt Ubuntu - https://packages.ubuntu.com/bionic/libtomcrypt-dev Debian - https://packages.debian.org/search?keywords=libtomcrypt

Embedding the code makes it difficult to identify and update some vulnerable code in case it is found (from recent history for example log4shell / text4shell vulnerabilities). All major distributions have a rule that the usage of embedded code should be avoided when possible. Inclusion of this patch would make it easier for the distribution package maintainers to deal with the updates of your package.

Thank you Michal Ambroz

xambroz avatar Feb 03 '23 05:02 xambroz

Source of the patch is the Fedora package: https://src.fedoraproject.org/rpms/python-pycryptodomex/blob/rawhide/f/python-pycryptodomex-3.15.0-use_external_libtomcrypt.patch

xambroz avatar Feb 03 '23 05:02 xambroz

Sorry, we cannot add a dependency on a library we don't control or that may not be present.

Legrandin avatar Mar 16 '25 15:03 Legrandin