Update third-party/python/PyECC to a version that supports py3
Categories
(Firefox Build System :: General, task, P3)
Tracking
(firefox77 fixed)
| Tracking | Status | |
|---|---|---|
| firefox77 | --- | fixed |
People
(Reporter: mshal, Assigned: rstewart)
References
Details
Attachments
(1 file)
|
Assignee | |
Comment 1•5 years ago
|
||
This one is a puzzler. The package seems to come from https://github.com/niccokunzmann/ecc, which is a fork of https://github.com/amintos/PyECC which says it's been "unmaintained since 2012" and "can be easily broken using side-channel attacks". (To my knowledge we don't use this package for anything security-critical -- though I am not 100% sure that's true.) We can try to re-fork this and bring the code up to date with a modern Python but that choice seems dubious when we could go with a more battle-tested modern Python package.
Ideally I would like to see this replaced with a new package that 1) is compatible with both Python 2 and Python 3 [for the purpose of our transition period], 2) is at feature parity with the old version of ecc, 3) has as few dependencies as possible (especially on C/C++ code) for ease of vendoring, and 4) is well-maintained, hopefully by a person who is knowledgeable about crypto. py-ecc appears to be the closest to meeting all these requirements, but it doesn't support Python 2. If it's feasible to port all the scripts that directly/indirectly depend on ecc to Python 3 in one big patch, then maybe py-ecc can work.
|
||
Comment 2•5 years ago
|
||
PyECC is not used by anything that must run with both python 2 or 3. I think it doesn't matter if whatever we use as a replacement is python 3-only.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Description
•