Closed gganssauge closed 3 years ago
Downgrading to Zope-5.0 resolves the issue but leaves me without upgrade path. A possible solution would be to relax the requirement for cryptography if possible
Hi, thanks for your report.
When having a look at the changelog of cryptography
, it seems the most recent version of cryptography
is 3.4.3.
https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Version 3.3.2 fixes a security issue, so as Zope currently only requires 3.2.1, imho, Zope should not allow cryptography
< 3, as your version of pymongocrypt
requires, but on the contrary, at least require 3.3.2
.
When having a look at pymongocrypt
, they last released in June 2020, and their master branch contains the restriction install_requires=["cffi>=1.12.0,<2", "cryptography>=2.0,<4"],
.
So imho you should post this problem on pymongocrpyt
s issue tracker, so they make a new release.
Also, we, here at Zope, should have a look at the fixed security issues in cryptography
and probably release a new version of Zope 5, requiring cryptography
>= 3.3.2.
Thanks for the explanation. I followed your suggestion and created an issue on the MongoDB tracker for pymongocrypt.
gganssauge wrote at 2021-2-9 07:57 -0800:
Using Zope-5.1 and pymongocrypt in the same application is not possible due to a dependency conflict on module cryptography.
Zope itself does not depend directly on cyptography
-- the version pin
in the various version files likely are there for the sake of other
packages usually found in Zope applications (I found e.g. use
of cryptography
in the requests
package).
The version files associated with Zope specify a version collection "known to work" in the usual case -- not a must. If your local environment requires different version pins, you can override those files.
If you use buildout
, overriding version pins is quite simple.
Not sure whether pip
, too, allows for easy pin overrides.
From your problem description it looks like you download the constraints.txt file for Zope and use that directly. You're free to edit that file and change the cryptography package pin to another version, or create your own requirements file that refers to the Zope file and overrides version pins where necessary. It sounds like you're not quite clear how to use contraints, there is no issue with Zope or its version constraints file.
BUG/PROBLEM REPORT (OR OTHER COMMON ISSUE)
Using Zope-5.1 and pymongocrypt in the same application is not possible due to a dependency conflict on module cryptography.
Zope-5.1 specifies "cryptography == 3.2" while pymongocrypt specifies "cryptography < 3"
What I did:
What I expect to happen:
I expect this to work without conflicts.
What actually happened:
pymongocrypt cannot be installed when Zope-5.1 is installed at the same time
What version of Python and Zope/Addons I am using: