Skip to content
This repository has been archived by the owner. It is now read-only.

Proposal to end of life PyCrypto #301

Open
alexdevsec opened this issue Jan 19, 2020 · 8 comments
Open

Proposal to end of life PyCrypto #301

alexdevsec opened this issue Jan 19, 2020 · 8 comments

Comments

@alexdevsec
Copy link

@alexdevsec alexdevsec commented Jan 19, 2020

It's been established that PyCrypto is not maintained. So far, nobody has stepped up to maintain PyCrypto.

It is susceptible to three CVEs, but it is quite possibly vulnerable to more.

CVE-2013-2445
CVE-2013-7459
CVE-2018-6594

It is dangerous to continue using this package, and most people using it are doing so without understanding what they are doing. There are better choices (pycryptodome) and people should be moving to that.

With that in mind, I would like to adopt it in pypi with the goal of having a managed EOL. It would involve a gradually increasing warnings in documentation and installation. I will not maintain the code itself.

It's easiest if the maintainer transfers ownership to me. If not, I'll go through the abandoned projects process:
https://www.python.org/dev/peps/pep-0541/#abandoned-projects

I've emailed dlitz on Jan 1, 2020 with no response. I'll do that a few more times before proceeding. I expect he's gotten quite a bit of email on this topic over the years.

I'm interested in people's feedback on this.

Alex

@mhsmith
Copy link

@mhsmith mhsmith commented Jan 27, 2020

That sounds like a good plan. Thank you for doing this.

@lliepins-clgx
Copy link

@lliepins-clgx lliepins-clgx commented Jan 28, 2020

Well ... as long as there is alternatives or github security alerts provides meaningful instructions for replacement, I am also voting for EoL status.

@pwuertz
Copy link

@pwuertz pwuertz commented Feb 25, 2020

+1
Installing pycrypto should eventually fail and provide information about alternatives like pycryptodome and cryptography.

Thanks for working on this!

@xradiation
Copy link

@xradiation xradiation commented Mar 31, 2020

amazing idea and a must at this point, as long as pycryptodome will be stable/secure for good amount of time.
nice move @alexdevsec

tiemenv added a commit to tiemenv/website-pages that referenced this issue Apr 8, 2020
pycrypto has been unmaintained and already has several CVE's attached to it.

see: pycrypto/pycrypto#301

Proposed alternative is the better-maintained pycryptodome
@manoharrajput1
Copy link

@manoharrajput1 manoharrajput1 commented Jun 1, 2020

how can we install paytm then please tell me..

@simon28li
Copy link

@simon28li simon28li commented Jan 20, 2021

Will pycrypto be maintained no longer? Now,it is pycryptodome instead?

@andreasnuesslein
Copy link

@andreasnuesslein andreasnuesslein commented Feb 1, 2021

Hello @alexdevsec ,

I like your initiative; what's the status? I think "nothing happened" for long enough for you to file that pypi abandonment ticket :)

@theoctober19th
Copy link

@theoctober19th theoctober19th commented Feb 18, 2021

Hello @alexdevsec, thank you for taking the initiative. May I know what is it's current status?

Also, if anyone has used cryptography, does it provide a complete replacement for pycrypto?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants