require cryptography in packaging metadata (and remove rsa)

[ktdreyer]

In https://github.com/googleapis/google-auth-library-python/pull/185 , google-auth now uses Python's cryptography library if it's available.

The cryptography library is faster and better-maintained than python-rsa.

Recently the rsa library had a security bug, and it took a long time to ship an update https://github.com/sybrenstuvel/python-rsa/issues/165 . This impacted google-auth users, see https://github.com/googleapis/google-auth-library-python/issues/646

Would you please update the google-auth packaging metadata to stop installing rsa and start installing cryptography instead?

[ktdreyer]

(CC @jmontleon FYI, since you're packaging google-auth in Fedora)

[jmontleon]

Thanks for the heads up. Is there a minimum version required? It looks like in Fedora 35 we have python3-cryptography-35.0.0-2.fc35.x86_64, Fedora 34 python-cryptography-3.4.6-1.fc34, and in EL8 and EL9, which I've also been trying to keep up to date, we have python3-cryptography-3.2.1-5.el8.x86_64 and python3-cryptography-3.4.7-5.el9.x86_64.

[ktdreyer]

The cryptography backend went into google-auth-1.4.0, tagged Feb 08, 2018.

At that time, the latest cryptography release was 2.1.4. So we should be fine for Fedora and EPEL.