Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify optional dependencies per feature #482

Closed
lukpueh opened this issue Dec 13, 2022 · 1 comment · Fixed by #493
Closed

Specify optional dependencies per feature #482

lukpueh opened this issue Dec 13, 2022 · 1 comment · Fixed by #493
Assignees
@lukpueh

Comments

@lukpueh
Copy link
Member

lukpueh commented Dec 13, 2022

We use optional dependencies (aka. extras) to allow a default installation with limited capabilities (e.g. verify ed25519 signatures using a pure Python implementation), which is useful for securesystemslib dependents (e.g. python-tuf), that need to be installable without any native dependencies (e.g. vendored into pip).

The full or a specific larger feature-set (e.g. signing) can be installed by specifying those extras like so:

pip install securesystemslib[crypto, asn1, pykcs11] # for hsm signing support

Except for hiding version constraints this is hardly more useful than telling user to install like so

pip install cryptography asn1crypto PyKCS11

Current behavior:

Specified per library:

securesystemslib/pyproject.toml

Lines 45 to 51 in e2a08b1

[project.optional-dependencies]
crypto = ["cryptography>=37.0.0"]
gcpkms = ["google-cloud-kms"]
pynacl = ["pynacl>1.2.0"]
PySPX = ["PySPX==0.5.0"]
asn1 = ["asn1crypto"]
pykcs11 = ["PyKCS11"]

Expected behavior:

  • figure out what "features(s)" cryptography, pynacl should be mapped to (or leave those as they are)
  • specify per feature,
[project.optional-dependencies]
[...]
gcpkms = ["google-cloud-kms"]
pq = ["PySPX==0.5.0"]
hsm = ["asn1crypto", "PyKCS11", "cryptography"]

Caveat:
Specifying them per feature is prone to redundancy. E.g. cryptography is needed for an hsm signing, but also for a traditional securesystemslib signing and gpg singing.
@jku
Copy link
Collaborator

jku commented Dec 29, 2022
edited
Loading

I suppose the real "features" look roughly like this:

feature: dependency
ed25519 (sign): pynacl
ECDSA: cryptography
RSA: cryptography
SPHINCS: PySPX
GCP: google-cloud-kms, cryptography
HSM: asn1crypto, PyKCS11, cryptography

The first four are just scheme-support that forces a certain version: whether we name the feature by the scheme-family or the dependency itself is not very important I think? Maybe we just leave them as they are (so the feature name is the dependency name) so we don't annoy existing users?

Last two (and hopefully more future features) are more interesting and should be named by the feature: I guess the acronyms are good enough? I don't see any major issue with the redundancy

Maybe GPG feature should also be defined -- it does depend on cryptography at least -- but I can see why that would be misleading as well... So maybe let's not tackle that issue here.

lukpueh added a commit to lukpueh/securesystemslib that referenced this issue Jan 11, 2023
@lukpueh
build: define "hsm" optional dependencies
5b31255 
This commit reverts 0928ceb,
defining all optional dependencies needed for hsm signing and
verification in one set.

As discussed in secure-systems-lab#482, this makes more sense from a user perspective.

The generic "crypto" (for cryptography) dependency is preserved to
not annoy existing users.

The new "hsm" dependency uses the same lower version bound for
cryptography as "crypto", although it might work with lower
versions. But it seems reasonable to keep constraints consistent.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh lukpueh mentioned this issue Jan 11, 2023
Merged
@KAUTH KAUTH mentioned this issue Jan 22, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukpueh lukpueh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Misc fixes in dependency definitions lukpueh/securesystemslib
2 participants
@jku @lukpueh