On Mon, 2021-02-08 at 12:19 +0100, Michał Górny wrote: > FYI the developers of dev-python/cryptography decided that Rust is going > to be mandatory for 1.5+ versions. It's unlikely that they're going to > provide LTS support or security fixes for the old versions. > > Since cryptography is a very important package in the Python ecosystem, > and it is an indirect dependency of Portage, this means that we will > probably have to entirely drop support for architectures that are not > supported by Rust. > > I...] > > I've raised a protest on the cryptography bug tracker [2] but apparently > upstream considers Rust's 'memory safety' more important than ability to > actually use the package. > > Honestly, I don't think it likely that Rust will gain support for these > platforms. This involves a lot of work, starting with writing a new > LLVM backend and getting it accepted (getting new code into LLVM is very > hard unless you're doing that on behalf one of the big companies). You > can imagine how much effort that involves compared to rewriting the new > code from Cryptography into C. > > If we can't convince upstream, I'm afraid we'll either have to drop > these architectures entirely or fork Cryptography. > > > [1] https://doc.rust-lang.org/nightly/rustc/platform-support.html > [2] https://github.com/pyca/cryptography/issues/5771
So it seems that upstream has practically closed the discussion, and the short summary is that they only care for the 'majority' of users, they don't care for minor platforms (but we're free to port LLVM/Rust to them) and -- unsurprisingly -- this is a part of crusade towards promoting Rust. Given the aggressive opinions of a number of Python core devs participating in the discussion, I'm afraid that it is quite probable that a future version of CPython may require Rust. In fact, they've already started having knee-jerk reactions to the problem at hand [1]. To be honest, I've never thought I'd be this disappointed in Python upstream. Good news is that they've promised to keep a LTS branch with security fixes to the non-Rust version. Until end-of-year. And they've pretty aggressively stated that they won't fix anything except security bugs with a CVE assigned. So if it stops building for whatever reason, we're on our own. I've reached out to Debian and they're planning to remove support for minor architectures for this package in the next release. However, Python is not as central to them as it is to us. Alpine is also affected but seems intent on pushing Rust forward, so they'll probably drop these architectures as well. Mike's submitted a PR to remove (unnecessary) cryptography dep from our urllib3/requests packages [2]. This should make it possible to avoid cryptography at least on some systems. However, it is still an indirect test dependency of these packages, so we're going to have a hard time keeping them properly tested. At this point, I'm really depressed about this and I'm seriously wondering why I'm wasting so much effort on open source. I don't see a good way out of it. Rust could be a nice language -- but it won't if it continues to be surround by arrogant zealots who want to destroy everything in their path towards promoting it. The first big blocker we're going to hit is trustme [3] package that relies on cryptography API pretty heavily to generate TLS certs for testing. If we managed to convince upstream to support an alternate crypto backend, we'd be able to retain minor keywords a lot of packages without too much pain. [1] https://bugs.python.org/issue43179 [2] https://github.com/gentoo/gentoo/pull/19383 [3] https://github.com/python-trio/trustme -- Best regards, Michał Górny
