Consider migrating to Cryptography #1998
Comments
|
+1 the |
|
good suggestion! i will try to add support for Cryptography. whats your opinion? @MartinThoma |
|
for me, |
|
sure, personally i prefer not to replace PyCryptodome by cryptography, add just support using cryptography to do encryptioin/decryption when no PyCryptodome installed. i just write a PR #2000 for it. |
|
Thank you @scdub for pointing this out. It helps me a lot to know that requests uses cryptography. I need to check the cryptography project a little bit more, bit I tend to agree that this is a good idea. @exiledkingcc Thank you for providing a PR that swift ❤️ I guess it will take at least this week. I don't want to rush with security-related changes |
@scdub Now I'm curious 😄 In case you don't want to elaborate publicly, but are free to speak about it in private: [email protected] |
As I don't want to break backwards compatibility, I also prefer that approach 👍 Was that also the (only) reason why you don't want to change it? If that is the case, we could plan deprecating PyCryptodome for |
|
Regarding the support of Python versions: #2005 - currently, I tend to keep Python 3.6 support. I feel like it doesn't cost us that much + a lot of people (sadly) still need it. |
|
personally, i would prefer python standard libraries to have cryptographic functions, which not happens yet 😞 . |
…yCryptodome (#2000) Use the [`cryptography` package](https://pypi.org/project/cryptography/) (maintained by the Python Cryptographic Authority, pyca) as a fallback if [PyCryptodome](https://pypi.org/project/pycryptodome/) (maintained by Legrandin / Helder Eijs) is not installed. Closes #1998
|
@scdub I've merged the excellent PR by @exiledkingcc . The |
|
We will likely also switch the order of preferences; recommending rather Thank you for mentioning this issue / bringing cryptography as an option to my attention 🙏 I value such contributions; if you want I'll add you as a contributor: https://pypdf.readthedocs.io/en/latest/meta/CONTRIBUTORS.html |
Comparison of the cryptography and PyCryptoDome libraries: | | cryptography | pycryptodome | | -------------- | ------------ | --------------- | | Maintainers | pyca | a single person | | PyPI downloads | 156,673,182 | 19,755,432 | | Github Stars | 5.7k | 2.4k | | Github Forks | 1.6k | 0.4k | Hence we now primarily use cryptography and use `PyCryptodome` as a fallback See #1998
Thanks much for this change! I really appreciate it. The Python distribution I had mentioned is what we distribute as part of ArcGIS Pro, a Geographic Information System program. We use your great |
|
@pubpub-zz For sure, I can contribute on a personal basis, and left some thoughts on approaches to support on that discussion. |
|
@MartinThoma you will have to find the good organisation 😀 |
|
@pubpub-zz specifically on the PDF 2.0 specification, have you seen https://www.pdfa.org/sponsored-standards/ ? It still requires accepting a EULA, but does provide free access to ISO 32000-2 and some of its supplements. |
Thanks, already loaded.😉 |
|
The PDF 2.0 specifications became available after I've opened #1660 |
Explanation
I help maintain a large Python distribution, which would like to use
pypdffor reading encrypted PDFs, but would prefer not to include the additional dependency of PyCryptodome as we already include Cryptography for numerous other dependencies. Cryptography includes the same cryptographic primitives used inpypdf(AES and RC4), but is typically a smaller and more secure installation as it calls well vetted implementations rather than implementing them directly. It also is a dependency ofrequestsviaurllib3, and is widely deployed. A quick check of conda-forge packages showed that PyCryptodome / PyCryptodomeEx was used in 25 packages versus 135 for Cryptography, and other packages such thepdfminer.sixhave made this migration earlier.If this is something that seems worthwhile, I can work on creating a PR for this effort.
cc @exiledkingcc
The text was updated successfully, but these errors were encountered: