Proposal to end of life PyCrypto #301
It's been established that PyCrypto is not maintained. So far, nobody has stepped up to maintain PyCrypto.
It is susceptible to three CVEs, but it is quite possibly vulnerable to more.
It is dangerous to continue using this package, and most people using it are doing so without understanding what they are doing. There are better choices (pycryptodome) and people should be moving to that.
With that in mind, I would like to adopt it in pypi with the goal of having a managed EOL. It would involve a gradually increasing warnings in documentation and installation. I will not maintain the code itself.
It's easiest if the maintainer transfers ownership to me. If not, I'll go through the abandoned projects process:
I've emailed dlitz on Jan 1, 2020 with no response. I'll do that a few more times before proceeding. I expect he's gotten quite a bit of email on this topic over the years.
I'm interested in people's feedback on this.
The text was updated successfully, but these errors were encountered: