search

ahknight / httpsig

HTTP Signature for Python
https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
MIT License
36 stars 20 forks source link

Relax pycryptodome requirements #13

Closed cveilleux closed 5 years ago

cveilleux commented 6 years ago

setup.py currently requires:

pycryptodome==3.4.7

see: https://github.com/ahknight/httpsig/blob/master/setup.py#L40

install_requires should not be used to pin dependencies to exact version. See: https://packaging.python.org/discussions/install-requires-vs-requirements/

It is not considered best practice to use install_requires to pin dependencies to specific versions, or to specify sub-dependencies (i.e. dependencies of your dependencies). This is overly-restrictive, and prevents the user from gaining the benefit of dependency upgrades.

Unless there is a good reason which I am not aware of, something like:

install_requires=['pycryptodome>=3,<4', 'six']

should accept any pycryptodome version 3.x.x

ericbuckley commented 6 years ago

Is there any reason PR #14 can't be merged? Version pycryptodome==3.4.7 has a known vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2018-15560

smcoll commented 6 years ago

@ahknight this would resolve a security vulnerability for any project requiring this package: see https://github.com/Legrandin/pycryptodome/issues/198