-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency on rust removes support for a number of platforms #5771
Comments
destroyed my CI/CD Pipeline this morning 😆 |
It is also impossible to build on ANY alpine linux version/architecture. Please remove this dependency as soon as possible. |
Update to most recent Alpine with Rust >= 1.45. Alpine latest has rust (1.47.0-r2).
Not going to happen. Rust dependency will stay to replace C code with an actual safe language. You can disable Rust integration in 3.4.x (see FAQ). Starting with 3.5 cryptography will have mandatory Rust code. |
So the only "reason" for this change is to use a "actual safe language"? ...ahhh...yeah... |
I guess this means we'll have to fork Cryptography, and render the original package irrelevant. |
Yes, memory safety is a very compelling reason to use Rust. C is a bad language to implement parsers for e.g. ASN.1. Check out @alex and @reaperhulk side-project https://twitter.com/LazyFishBarrel
The new Rust code adds exactly 0 (zero) runtime packages to Cryptography. Rust, Cargo, pyo3, its dependencies, and setuptools_rust are build-time dependencies only. |
Pinned to second last version to get our pipelines up and running again, at least until I've figured out what should be done long term |
Memory safety is of course a compelling reason, but you should also keep in mind that may developers out there are using your package, which is great by the way, and are now forced to upgrade all their containers, ci/cd pipelines, packages and so on. A little piece of information upfront or a deprecation warning would have helped a lot. Or maybe I just overlooked something. |
Yes, that's exactly what I did. |
I think that it is clear that you have broken semantic versioning with both the python 2 change, and the requirement for rust at build time. From the changelog:
This should probably be a 4.0 release it would cause a lot less pain for the community. I suppose many have Update |
Looks like you have missed all announcements and FAQ entries. Rust bindings kicked off in July 2020 with #5357. Alex started a thread on the cryptography developer mailing list in December to get feedback from packagers and users. The FAQ also contains instrutions how you can disable Rust bindings. PS: I've been preparing Fedora packaging for almost three months. My Fedora Rawhide packages of python-cryptography 3.4 landed about 12 hours after the release -- and I had to jump through several extra hoops because Fedora does not permit vendoring of Rust crates. |
I'm sure all the users who aren't able to use cryptography anymore will appreciate the memory safety.
Do you seriously expect people who maintain a few hundred Python packages to follow development mailing lists of every single one of them? |
The majority of users either uses binary wheels (macOS x86_64, glibc Linux x86_64 + aarch64, Windows X86 + X86_64) or Linux distro packages. Binary wheels don't require an additional Rust libraries. Only users on Alpine (musl), BSD, other hardware platforms, and distro packagers are affected.
Do you have constructive suggestions how to communicate changes additionally to project mailing lists, Github issue tracker, project IRC channel, documentation (changelog, FAQ), and Twitter channels? |
I wonder if there's a way to produce a more helpful error message, perhaps with a link to some documentation about the new required build deps. The current message most people will hit is
Which does sort of attempt to guide people the right way but could be more specific for common cases like Alpine. Trying to follow the docs as an Alpine user who doesn't know about Rust is kind of confusing right now. As the Alpine specific steps only tell you to install gcc but as you point out above latest Alpine actually has a new enough rust in APK. |
That's a very roundabout way of showing the middle finger to users of 'other hardware platforms' that are not supported by Rust (or LLVM) at all. |
CI testing went down the drain with this in GitLab CI with docker:stable-dind, as it's based off of Alpine. I can imagine this happening all over the place. |
The documentation for Alpine builds has been improved #5763 already. I have a pending PR for Fedora, CentOS, and Debian at #5764 . If you have any suggestions for better build instructions, please help by opening a PR. |
For myself, I'd like to note that a heads-up in the CHANGELOG / Release Notes (I may have missed it) would've helped:
I don't see any mention before the release in the CHANGELOG or in the emails to python-announce-list. That's the one thing which distro maintainers or packagers really should be reading on every new release. Including it as a warning in previous releases would've helped us out here to both object/raise concerns and begin preparations. |
To be fair the developers did ask for feedback (in a not very inviting way): We are interested in feedback in things we can do to make this a smooth process, particularly from folks who are re-distributing cryptography. Please note: feedback of the form “don’t use Rust” is not productive and will be disregarded I highly suspect there will be many more complaints throughout the day about stuff breaking. I had stuff breaking on amazon linux and was confused as to why pip install ansible was asking for rust, seems that one is tagged to latest cryptography in requirements.txt (which is of course not directly the fault of the devs here). |
I suppose this is perhaps a bit naive. I don't blame you, I'm not sure what else you could've done to inform your users either. That said, you need to realize that your project has just introduced itself to a few thousands developers by killing their CICD runs. Talk about first impressions 😄. That's a good reminder to update the alpine images though. Hands up: who here watches every update of every transitive dependency in each app/environment they have to maintain? BTW. This actually gives me ideas about dependency change notification systems for developers. Notifying users about incompatible dependency changes has been an issue in this industry for what, last 25 years? How much has changed wrt this during that time? |
I totally agree. I really think we did not even scratch the tip of the iceberg. There might be some "interesting" problems ahead. And don't get me wrong @tiran, I also agree with you regarding your security concerns, but this switch could have really done some serious damage. We will see... |
lol |
It sounds like y'all are getting an unexpected lesson about the flip-side of open source software. I would like to push back on some of the entitlement I'm sensing reading in this thread. Before I begin, I'd like to remind you that security is a numbers game. If the
It sounds like you're saying that your time as a Gentoo and NetBSD maintainer is worth more than the time of In fact, your only real recourse long-term is exactly to band up volunteers to make Rust work on your platform. Or pay some hired guns to do the initial work for you. After all, you will be seeing more and more projects depending on this programming language as time goes on. Yelling at creators of those projects for choosing a language that is inconvenient for you is both ineffective and laughable.
It's a security-focused package. If you are not already paying attention to its development then you're putting your users at risk.
I invite you to do that. Please put your money and time where your mouth is. Report back in a year's time how it went. |
Let's depend on Rust because everything does! Afternote: should be "HARD depend" - without the ability to toggle building with the given component. |
We have been able to fix our We have updated Any idea on why the compilation with Rust is that slow??
|
It's really not just "some other platforms". Ubuntu 18 is also affected... We are using system distribution of Python to run some automation on Ubuntu images built for AWS and Azure.
If you really wanted this breaking change, the only real way to do this as of right now (wrt' tools like I'd be totally fine with there being a |
@wvxvw creating a new package would actually make the situation a lot worse. Except if the Python module name is also renamed, which would require everyone to adjust there code. Which would also be worse IMO. |
Ubuntu Bionic LTS has recent Rust and Cargo version. pip is the problem here. Ubuntu 18.04 comes with an old, unsupported pip version. I recommend that you install a newer pip version in a virtual env. It might also be worth the trouble to file an update request with your vendor.
|
Nobody is saying that it's a bad idea. Don't push a minor patch version for a very clear breaking change and none of these conversations would even be happening. Stop making assumptions about peoples systems and software and use correct versioning. If this was cryptography 4.0.0 then nobody would care because all their builds and docker images still work, but because it's 3.x a lot of us are up a creek without a paddle. |
ITT: People that use (probably not formally verified) CRYPTOGRAHPY packages, distributed as BINARY BLOBS, that cannot be verified to be compiled from a certain commit, versions of which get AUTOMATICALLY UPDATED in their CIs, making even source builds untrusted. You guys are surprised your builds break? And then blame the author? I suggest you ask for a refund. |
Holy crap, now I need to install Rust on like 20 base Docker images which we use for around 300 software projects in our collaboration. Seriously? |
To be clear, hppa and m68k are still quite alive and well in Linux, please don't use that as justification to remove support for those archs. I like running Python on my Amiga. |
No, you don't. There are multiple documented workarounds like updating pip to >19.1 or setting an env var. It's all explained in the error output. |
@tiran I've just run the queries on the BigTable of PyPi download data. It shows what pypistats.org doesn't, and that is that 87% of cryptography downloads over the last 7 days were source downloads. This goes against your claims of the majority of users using binary wheels. You don't know who your users are. Edit: Query for reference:
|
I've deleted all my comments in this issue to stop affecting anyone who can be affected in negative manner by them. But I still want to describe my point of view: despite of authors are have all the rights about their code, I personally think that becoming an industry standard adds something like "moral restrictions" and responsibility, even over "all of those who uses it wrong way". |
You might be right that majority of our users don't use binary wheels. You might draw wrong conclusion from the statistic, because the data might not reflect a large chunk of our users. Amongst others packages or container image layers are cached at multiple levels. Linux distros and Python distributions like Anaconda have their own distribution channels. It's impossible to draw accurate user statistics from the download stats. |
@kaniini I gather that you are interested in a "manymusl" format. I created a thread for it on Python Discourse, I invite you to share your thoughts: https://discuss.python.org/t/wheels-for-musl-alpine/7084/15 The largest obstacle so far is that there'd have to be a champion for the standard. While I'd love to try to contribute in this way, I'm pretty sure it's above my head for now. |
Yet you used statistics from exact same source to claim that the majority of your users use Linux. It is impossible to draw any reliable user statistics for a project with such wide usage, yet you try to justify your choices with claims about your users that you made up. |
I don't think its even the right statistic. Ask JFrog how many of their clients have Artifactory, and how many instances those clients have. If you count in those (how would you even count them?), then maybe you can get any sort of real world value for downloads. Counting it in terms of users is IMO the wrong way to go about it. If I have a small business that does ~1000 CI runs a day, and I lead the business alone, do you count me in the same way as the guy next door who accidentally downloaded These stats say nothing about the scale of the problem, and arguing over them is a waste of time. |
That's where I am not agree and think the OSS will burnout most mainteners: it's up to tje industry to manage all this additonal load (because it is, and lot of overload for such a project), not to upstream. If it's managed by a big corpo, it's ok: they have all the power to manage such a load (they already doing it for internal use) |
@ljmccarthy That backend did used to exist. It was removed in LLVM 3.1, which was released in 2012. I think there's some unofficial C backend for modern LLVMs, but there's a decent chance it's not quite production-ready.
@kaniini Problem is, that probably won't happen for years, and does anyone really want to take on the burden of maintaining a However, if you're willing to do so, that's great! |
Yep, forced to do the same (AWS Glue broke when importing this for requests lib) |
This is to avoid a known issue with a recent version of cryptography [1] [1] pyca/cryptography#5771 Change-Id: I034bcd24031b5881ae49b8bc03bed6654cd1d335
* Update bifrost from branch 'master' to 5360d0e869daaa9bdb6ab0eeedfd1600453bfd4d - Install at least pip version 19.1.1 This is to avoid a known issue with a recent version of cryptography [1] [1] pyca/cryptography#5771 Change-Id: I034bcd24031b5881ae49b8bc03bed6654cd1d335
Switching to Rust and locking out dozens of platforms is worse for security, because now those users have no choice but to rely on outdated security-critical software OR to port Rust to their platform, which is a gargantuan effort (hi, someone who has tried - and failed - to port Rust to a new platform here). A lot of those people can't afford to "upgrade" to newer hardware - much of which brings its own security concerns, like UEFI. C is not evil. C is not a bad programming language. C is a universally supported language. Cargo culting Rust is harmful to the ecosystem. |
There were questions on how the announcement/notifications could be handled better. Well, it's fair to say that this change affects the Python ecosystem as a whole, and so release notification should have been posted to the https://mail.python.org/mailman3/lists/python-announce-list.python.org/ mailing list. And indeed it was! But I'd say it was pretty meek: https://mail.python.org/archives/list/python-announce-list@python.org/thread/J6VZ22LY5IS3WG5SMICUSWQQOK5SAFTQ/ Given the effect it caused, it should have a subject:
and should have started with:
And I'm only half-joking here, your recent release announcement before/with such a big change really contain too few exclamation marks and all-caps. And I second what other people said - dear Thanks! |
C is in fact very bad and I have a mountain of research to prove it: https://www.usenix.org/conference/enigma2021/presentation/gaynor |
|
You read my slides very quickly! I can tell you took them seriously and didn't just drop that link immediately. |
You're right - I don't take your research seriously! |
I recommend not using this software package then, regardless of what languages its written in. (Of course, I suspect that's already the case -- you're not a user, you just showed up to complain because this is your hobby horse.) |
I am a cryptography user, as a matter of fact, and a packager for affected systems. But thanks for the ad-hominem speculation, appreciate it. |
My apologies. I regret engaging with you at all. First: this is going to be the second to last last comment on this thread. I think it's run its course. Folks should please feel empowered to file new issues, but I'd request that you only file issues for either a) new issues, b) concrete improvements not already discussed here. Second: Thank you to all the folks who have engaged constructively here. Our release is better for your contributions. Third: The last comment on this thread will be a summary of everything discussed here, I'll leave that after I finish writing it. |
I now want to summarize the state of various discussions here: Outdated Rust installationsWe now take advantage of an option in setuptools-rust to provide a clear error message when a user's Rust installation is too old. In the future, we'll be somewhat conservative in increasing our MSRV. Update: We have lowered the MSRV to 1.41 in #5823 and this change was released in 3.4.5. No Rust installation at allWe've now documented very aggressively how to obtain a Rust installation, and to update pip (which will solve the problem for folks on manylinux-compatible distributions). No future steps are expected. AlpineWheelsIt looks like there's folks actively interested in specifying many-musl. Excellent! Once that's defined and supported in pip, we'll ship wheels for that platform. Update September 20, 2021: The Bootstrapping Rust on supported platformsWe'll reach out off-list to see how we can support this effort. LTSWe'll engage on the thread that @tiran filed. SemVerWe'll consider it, however, I am skeptical for the simple reason that this change would not have required a major version bump (no public APIs were changed). Therefore it's clear that what folks wanted was a major version bump regardless of semver. CommsIn the future, when we know about a change like this well in advance, we'll include it in our CHANGELOG as soon as we know about it. If a platform for proactively reaching out to PyPI users exists, we'll use it. Alpha, S390, HPPA, HPUX, AIX, etc.Best of luck. I'd encourage you to contribute platform support to LLVM or contribute to gccrs. My work to promote language-level memory safety will continue unabated. MiscellanyI'm sure I missed something (though I did just re-read this thread in its entirety). |
I would like to report that the newly added dependency on Rust has made it impossible to package cryptography for a number of supported Gentoo architectures (and these are architectures where people actually use Python packages that depend on cryptography).
Please see Platform Support. Besides degrading a few of our targets to 'Tier 3', Rust completely does not support at least alpha, hppa, ia64, m68k, s390 (not -x). The cost of adjusting cryptography's C code to these platforms (even if we assumed they wouldn't work out of the box as they do so far) is much less than the cost of porting the whole Rust. You can't really expect volunteers to port the whole Rust to other architectures just to get cryptography back.
Right now it's a really hard struggle to even get Rust packaged for non-Tier 1 architectures (i.e. where upstream does not provide bootstrap binaries).
The text was updated successfully, but these errors were encountered: