python-rsa 4.1 dropped Python 2 support but did not add a python_requires>=3 stanza in setup.py

[tvalentyn]

This change breaks users of rsa package who are still on Python 2 and who do not set an upper bound on rsa to be rsa<4.1 (or lower). It also breaks Python 2 users of any other library that depends on rsa with an open upper bound.

A clean way to fix current situation would be to release a new version: (for example 4.3), using the sources of 4.0 (which are still Py2 compatible), and then release the most recent released sources in a follow-up release (4.4), and add a stanza python_requires>=3 or perhaps python_requires>=3.5 (depending on which py3 versions you support).

Note that yanking released versions may cause other breakages (see for example discussion in hamcrest/PyHamcrest#131), so a fix forward would be a cleaner way to address this.

[sybrenstuvel]

Thanks for the report. Your proposed solution seems sensible, I think I can do that tomorrow.

[sybrenstuvel]

I just released 4.3 and 4.4.1.

4.3 is a re-tagged version 4.0, but I also took the opportunity to back-port two security fixes to Python 2.7. It does NOT support Python 3.4, as that caused some issues on Travis-CI.

4.4.1 i s a re-tagged release of version 4.2, with explicit support for Python 3.5 - 3.8.

Both releases have an explicit python_requires that shows which versions are supported.

[tvalentyn]

but I also took the opportunity to back-port two security fixes to Python 2.7.

Thanks a lot! Did this become 4.4 ?

[lidizheng]

@sybrenstuvel Thanks for the quick update. From my local experiments, python2 -m pip install -U rsa installs rsa==4.4, which is still Python 2 incompatible. I think there might be another classifier issue in version 4.4, you might want to "yank" that version, or release a newer Python 2 compatible version.

Copied from grpc/grpc#23197

[tvalentyn]

I don't recommend yanking since it breaks build determinism for anyone using a build system like pipenv or poetry, but we need to fix this..

[busunkim96]

Echoing Lidi's comment, a Python 2 pip install lists up to 4.4

$ pip install rsa==foo
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
ERROR: Could not find a version that satisfies the requirement rsa==foo (from versions: 1.1,
1.2, 1.3, 1.3.1, 1.3.2, 1.3.3, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.4, 3.2, 3.2.2, 3.2.3, 3.3, 3.4, 3.4.1, 3.4.2, 4.0, 4.1.1, 4.2, 4.3, 4.4)
ERROR: No matching distribution found for rsa==foo

[sybrenstuvel]

I released 4.4 too similar to 4.2, which caused the whole fix to crumble down, sorry about that.

For now I have yanked 4.4, so Python 2.7 should pick 4.3, while not-dead Python versions should pick up on 4.4.1. I don't prefer yanking, as it indeed can cause some issues, but given that 4.4 has only been released a few hours, I hope that damage is minimal and preferred over releasing yet another two versions.

Pretty please, with sugar on top, stop using this decade-old, end-of-life version of Python.

[sybrenstuvel]

Yanking didn't work, as the files are still listed on https://pypi.org/simple/rsa/.

I re-tagged and re-released versions 4.5 (py27 compatible) and 4.6 (3.5+ compatible), and the mess has been cleaned up:

% python2 -m pip install rsa==foo
Collecting rsa==foo
Could not find a version that satisfies the requirement rsa==foo (from versions: 1.1, 1.2, 1.3, 1.3.1, 1.3.2, 1.3.3, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.4, 3.2, 3.2.2, 3.2.3, 3.3, 3.4, 3.4.1, 3.4.2, 4.0, 4.1.1, 4.2, 4.3, 4.4, 4.5)

% python3 -m pip install rsa==foo
ERROR: Could not find a version that satisfies the requirement rsa==foo (from versions: 1.1, 1.2, 1.3, 1.3.1, 1.3.2, 1.3.3, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.4, 3.2, 3.2.2, 3.2.3, 3.3, 3.4, 3.4.1, 3.4.2, 4.0, 4.1, 4.1.1, 4.2, 4.3, 4.4, 4.4.1, 4.5, 4.6)

[wyattanderson]

@sybrenstuvel any chance you can publish new wheels for 4.6 that aren't marked as universal? See #154 and the files listed here: https://pypi.org/project/rsa/4.6/#files

[sybrenstuvel]

I have deleted rsa-4.6-py2.py3-none-any.whl from PyPi, and published rsa-4.6-py3-none-any.whl.