python-cryptography, Rust, and OpenSSL 3.0
Hi,
TL;DR: Does it make sense to upload the intermediary upstream version
3.4.8 or rather wait for someone to work on the Rust-based later versions?
I'm currently working on the OpenSSL 3.0 transition in Ubuntu, and
python-cryptography in its current version in Debian and Ubuntu does not
support it[0].
The current version of the package is 3.3.2-1, whereas upstream is at
36.0. Versioning scheme notwithstanding, upstream moves with a rapid
pace, since 3.3.2 came out in February 2021.
This package has recently gained some notoriety[1] for wanting
to use Rust to replace parts of its C core. 3.4 introduces an optional
dependency on the Rust toolchain, which became mandatory in 35.0 (think
3.5).
Said 35.0 release also brought OpenSSL 3.0 support, which is why I first
tried to update the package directly to 35.0 (36.0 wasn't out at the
time), but it needs a good few packages that aren't, or weren't at the time,
in the Debian archive, with transitive dependencies on crates that
aren't necessarily version-compatible with what's currently in Debian.
Furthermore, dh-python and pybuild aren't necessarily ready for the
setuptools Rust extension.
So, instead I opted for packaging the last Rust-optional version, 3.4.8,
and backported the necessary OpenSSL 3.0 patches. I posted the result of
this work on Salsa[2].
Now that the OpenSSL 3 transition has started in Ubuntu, I plan on
uploading this package to our archive as I lack the time to do the
necessary work for the Rust enablement, but I'm wondering if it makes
sense to do the same in Debian?
Cheers,
Simon
PS: please keep me in CC, as I'm not subscribed to the ML.
[0]: https://bugs.launchpad.net/ubuntu/+source/python-cryptography/+bug/1946189
[1]: https://lwn.net/Articles/845535/
[2]: https://salsa.debian.org/python-team/packages/python-cryptography/-/merge_requests/6
--
Simon Chopin
Foundations Team Ubuntu MOTU
simon.chopin@canonical.com schopin@ubuntu.com
Reply to: