Proposal to end of life PyCrypto #301
Comments
|
That sounds like a good plan. Thank you for doing this. |
|
Well ... as long as there is alternatives or github security alerts provides meaningful instructions for replacement, I am also voting for EoL status. |
|
+1 Thanks for working on this! |
|
amazing idea and a must at this point, as long as |
pycrypto has been unmaintained and already has several CVE's attached to it. see: pycrypto/pycrypto#301 Proposed alternative is the better-maintained pycryptodome
|
how can we install paytm then please tell me.. |
|
Will pycrypto be maintained no longer? Now,it is pycryptodome instead? |
|
Hello @alexdevsec , I like your initiative; what's the status? I think "nothing happened" for long enough for you to file that pypi abandonment ticket :) |
|
Hello @alexdevsec, thank you for taking the initiative. May I know what is it's current status? Also, if anyone has used |
It's been established that PyCrypto is not maintained. So far, nobody has stepped up to maintain PyCrypto.
It is susceptible to three CVEs, but it is quite possibly vulnerable to more.
CVE-2013-2445
CVE-2013-7459
CVE-2018-6594
It is dangerous to continue using this package, and most people using it are doing so without understanding what they are doing. There are better choices (pycryptodome) and people should be moving to that.
With that in mind, I would like to adopt it in pypi with the goal of having a managed EOL. It would involve a gradually increasing warnings in documentation and installation. I will not maintain the code itself.
It's easiest if the maintainer transfers ownership to me. If not, I'll go through the abandoned projects process:
https://www.python.org/dev/peps/pep-0541/#abandoned-projects
I've emailed dlitz on Jan 1, 2020 with no response. I'll do that a few more times before proceeding. I expect he's gotten quite a bit of email on this topic over the years.
I'm interested in people's feedback on this.
Alex
The text was updated successfully, but these errors were encountered: