-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python library introduced new dependencies in 0.2.2 #192
Comments
Good point about the dependency size, definitely something to fix. For now, I guess feel free to freeze the version to 0.2.1, as there shouldn't be any substantial changes affecting you. The root of the dependency import is python-bip32,so that would be the best place to solve it. Perhaps one could consider replacing coincurve there with some more lightweight library, or a standalone implementation, as performance is probably not a big consideration here? cc @darosior, maybe you know if there is a good replacement? |
Getting rid of coincurve has been a long standing goal of python-bip32. However it was only to replace it with another libsecp256k1 wrapper. I would welcome a PR making our How does that sound? |
Sounds good.
Yes, will do that for now. Still, I think the import of the vendored bip380 lib (which I am fine with besides that pulling in the new deps) could be done on demand, and the new deps could be moved to a requirements extra. Note that if we had the mentioned libsecp interface abstraction, you would probably still need extras for the default implementation (as the whole point is to avoid unconditionally pulling in coincurve/etc). |
ledger-bitcoin==0.2.2 added new deps we don't want to bundle. otherwise it should be ok to use. see LedgerHQ/app-bitcoin-new#192
@SomberNight the |
Great! Thanks a lot. |
The
ledger-bitcoin
python library introduced new dependencies in version 0.2.2, in #166.Compare:
coincurve
in particular is a large dependency and is not pure python. It is non-trivial to build it.Looking at the PR and the linked vulnerability, I guess I can't persuade you to remove these dependencies...
Could you perhaps make them optional?
It seems like you could easily import
bip380
only when needed, only for non-trivial miniscripts, e.g. here:app-bitcoin-new/bitcoin_client/ledger_bitcoin/client.py
Line 279 in b4905a4
That would at least mean that if a library user does not support generic miniscripts, they don't need the new dependencies.
We are using
ledger-bitcoin
in Electrum, and would rather avoid the new dependencies, if at all possible. Note that our usage atm is limited to trivial miniscripts, for which bip380 is not even used (but it is imported nevertheless in 0.2.2). Further note that even when we add more complex miniscript support in Electrum in the future, almost surely we will have logic there outside ledger-bitcoin doing equivalent checks. Point being, it would be good to let the library user disable the new checks and not require the new dependencies.The text was updated successfully, but these errors were encountered: