search

zopefoundation / Zope

Zope is an open-source web application server.
https://zope.readthedocs.io
Other
355 stars 100 forks source link

Zope-5.1 no longer compatible to pymongocrypt #946

Closed gganssauge closed 3 years ago

gganssauge commented 3 years ago

BUG/PROBLEM REPORT (OR OTHER COMMON ISSUE)

Using Zope-5.1 and pymongocrypt in the same application is not possible due to a dependency conflict on module cryptography.

Zope-5.1 specifies "cryptography == 3.2" while pymongocrypt specifies "cryptography < 3"

What I did:

$ python3.7 -m venv --without-pip venv
$ python3.7 -c "from urllib.request import urlretrieve; urlretrieve('https://bootstrap.pypa.io/get-pip.py', 'get-pip.py')"
$ venv/bin/python get-pip.py
Looking in indexes: ...
Looking in links: ...
Collecting pip
...
Collecting setuptools
...
Collecting wheel
...
Installing collected packages: wheel, setuptools, pip
Successfully installed pip-21.0.1 setuptools-53.0.0 wheel-0.36.2
$ . venv/bin/activate
(venv) $ cat > constraints
-c https://zopefoundation.github.io/Zope/releases/5.1/constraints.txt
Zope == 5.1
(venv) $ pip install pymongocrypt -c constraints
Looking in indexes: ... 
Looking in links: ...
Collecting pymongocrypt
...
ERROR: Cannot install pymongocrypt==1.0.0 and pymongocrypt==1.0.1 because these package versions have conflicting dependencies.

The conflict is caused by:
    pymongocrypt 1.0.1 depends on cryptography<3 and >=2.0
    pymongocrypt 1.0.0 depends on cryptography<3 and >=2.0

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/user_guide/#fixing-conflicting-dependencies
(venv) $

What I expect to happen:

I expect this to work without conflicts.

What actually happened:

pymongocrypt cannot be installed when Zope-5.1 is installed at the same time

What version of Python and Zope/Addons I am using:

$ uname -a
Linux plattfisch 4.15.0-134-generic #138-Ubuntu SMP Fri Jan 15 10:52:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ venv/bin/python --version
Python 3.7.5
gganssauge commented 3 years ago

Downgrading to Zope-5.0 resolves the issue but leaves me without upgrade path. A possible solution would be to relax the requirement for cryptography if possible

jugmac00 commented 3 years ago

Hi, thanks for your report.

When having a look at the changelog of cryptography, it seems the most recent version of cryptography is 3.4.3. https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

Version 3.3.2 fixes a security issue, so as Zope currently only requires 3.2.1, imho, Zope should not allow cryptography < 3, as your version of pymongocrypt requires, but on the contrary, at least require 3.3.2.

When having a look at pymongocrypt, they last released in June 2020, and their master branch contains the restriction install_requires=["cffi>=1.12.0,<2", "cryptography>=2.0,<4"],.

So imho you should post this problem on pymongocrpyts issue tracker, so they make a new release.

Also, we, here at Zope, should have a look at the fixed security issues in cryptography and probably release a new version of Zope 5, requiring cryptography >= 3.3.2.

gganssauge commented 3 years ago

Thanks for the explanation. I followed your suggestion and created an issue on the MongoDB tracker for pymongocrypt.

d-maurer commented 3 years ago

gganssauge wrote at 2021-2-9 07:57 -0800:

Using Zope-5.1 and pymongocrypt in the same application is not possible due to a dependency conflict on module cryptography.

Zope itself does not depend directly on cyptography -- the version pin in the various version files likely are there for the sake of other packages usually found in Zope applications (I found e.g. use of cryptography in the requests package).

The version files associated with Zope specify a version collection "known to work" in the usual case -- not a must. If your local environment requires different version pins, you can override those files.

If you use buildout, overriding version pins is quite simple. Not sure whether pip, too, allows for easy pin overrides.

dataflake commented 3 years ago

From your problem description it looks like you download the constraints.txt file for Zope and use that directly. You're free to edit that file and change the cryptography package pin to another version, or create your own requirements file that refers to the Zope file and overrides version pins where necessary. It sounds like you're not quite clear how to use contraints, there is no issue with Zope or its version constraints file.