Bug 2335258

Summary: Review Request: python-pycryptodome - Cryptographic library for Python
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mhroncok, package-review, pikachu.2014, quantum.analyst
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://www.pycryptodome.org
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-01-06 19:52:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2025-01-02 13:39:17 UTC 
Spec URL: https://www.flyn.org/SRPMS/python-pycryptodome.spec
SRPM URL: https://www.flyn.org/SRPMS/python-pycryptodome-3.21.0-1.fc41.src.rpm
Description: Cryptographic library for Python
Fedora Account System Username: mikep
Comment 1 Fedora Review Service 2025-01-02 13:46:10 UTC 
Copr build:
https://copr.fedorainfracloud.org/coprs/build/8463880
(succeeded)

Review template:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2335258-python-pycryptodome/fedora-rawhide-x86_64/08463880-python-pycryptodome/fedora-review/review.txt

Found issues:

- A package with this name already exists. Please check https://src.fedoraproject.org/rpms/python-pycryptodome
  Read more: https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#_conflicting_package_names

Please know that there can be false-positives.

---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.
Comment 2 Miro Hrončok 2025-01-02 17:46:56 UTC 
Beware of bz1756505.
Comment 3 Elliott Sales de Andrade 2025-01-03 07:31:42 UTC 
Are you sure angr uses this? I don't see any mention of it directly.
Comment 4 W. Michael Petullo 2025-01-03 14:06:42 UTC 
Python angr requires cle, which requires cart, which requires pycryptodome, I think.

Regarding comment #2, the pycrypto website states "PyCrypto 2.x is unmaintained, obsolete, and contains security vulnerabilities." That same website recommends pycryptodome as an alternative.
Comment 5 Miro Hrončok 2025-01-03 14:29:33 UTC 
(In reply to W. Michael Petullo from comment #4)
> Regarding comment #2, the pycrypto website states "PyCrypto 2.x is
> unmaintained, obsolete, and contains security vulnerabilities." That same
> website recommends pycryptodome as an alternative.

I am not saying which is better. I am saying there is a conflict and it needs to be explicitly handled.
Comment 6 Mohamed El Morabity 2025-01-03 16:00:20 UTC 
Hello,

Fedora already provides the python-pycryptodomex package, built from the same upstream sources as your package, but with a different namespace to avoid conflicts. This namespace is provided and supported by upstream, making it a reliable alternative. It should be straightforward to patch angr to use pycryptodomex.
Comment 7 Mohamed El Morabity 2025-01-03 16:05:36 UTC 
See also bz1370919
Comment 8 W. Michael Petullo 2025-01-06 19:52:10 UTC 
I am dropping this review. Instead, I modified my proposed python-cart package to use the existing python-pycryptodomex package. I also asked about formally replacing python-crypto with python-pycryptodome:

https://lists.fedoraproject.org/archives/list/python-devel@lists.fedoraproject.org/thread/UTH7MYUQSSZGN2MPQNGCHLWHDMHDNCQH/

Thank you, Mohamed, for pointing out the existence of python-pycryptodomex.