begging for pyme name change
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 28 22:22:27 CEST 2016
On Wed 2016-10-26 19:47:11 -0400, Daniel Kahn Gillmor wrote:
> If not, I'm starting to think that python-gpgme2 (along with deprecation
> of all the other bindings) would be the simplest approach toward
> cleaning up the python ecosystem here.
I just looked at https://pypi.python.org/pypi/ (warning! takes a while
to load!) and pulled out all the packages that had either gpg or gnupg
(matched case-insensitively) in their name or their description.
I'd really like to resolve this; if we're considering renaming the
upstream-supported python module, we should do so as soon as possible.
Then we can set about trying to clean up the rest of the ecosystem.
I noticed there is no pypi module just named "gpg".
"pygpg" does produce a module that can be loaded with "import gpg", but
is only a few hundred lines of code, and has received no updates for
over 3 years. Both PyPi and https://github.com/faust/pygpg claim that it
belongs on https://www.abnorm.org/projects/pygpg/, but abnorm.org
appears to have no DNS records, and i suspect the author's e-mail
address (which i'm cc'ing here) will bounce.
In addition to this, pygpg appears to be littered with shell-escape
arbitrary code execution due to its liberal use of Popen:
Anyone using pygpg to deal with remotely untrusted input probably has
serious problems :/
So it seems likely that, as GnuPG upstream, we could simply claim the
"gpg" name on PyPi, and that we could just take over the "gpg" module
name as well.
If we did that, we could then go through the remaining python modules
related to the GnuPG suite and ask them to deprecate or unpublish any
that don't directly use the "gpg" module. (i don't know how deprecation
or unpublishing works on PyPI, but i guess we could try to figure it
What do folks think of claiming the name "gpg" in the python module
namespace (and in the PyPI source namespace) as a way forward? I can
provide a patch if people think that's the right thing to do.
PS Here's the list of relevant packages i found:
1.1.3 This is a simple python program to allow you to store and generate time-based one-time passwords in a GPG encrypted vault.
0.0.13.0 GPG integration for Blockstack client applications
0.0.1 Encrypted messaging using GnuPG
1.4.1 Simple symmetric GPG file encryption and decryption
0.1 A Django reusable app providing the ability to send PGP/MIME signed multipart emails.
0.0.4 Backup your GMail account with GPG encryption.
0.2.2 Simplified GPG UI
2.0.2 A Python wrapper for GnuPG
0.3.2 GnuPG interactions with file handles
1.2.5-9-g6f9d63a-dirty A Python wrapper for GnuPG
0.1 encrypts the contents of a dir with gpg
1.23 A GnuPG Shell
0.1.1 Library for decrypting gpg that doesn't shell out to gpg
3.1.0 an e-mail encryption, virus- and spam- checking module, gateway and daemon
0.1.3 Password manager for groups. Searching thru GPG-encrypted password files.
0.3.2 Create/Manage/List GPG Keys and Encrypt/Decrypt things with them
0.1 Storage for passwords, encrypted with GPG
0.1.2 GPG/PGP Keyserver with many enhancements
0.2.1 A command line tool to edit text files encrypted with GnuPG whilst preventing the plaintext from being written to the hard drive.
1.0.2 Scripts for managing secrets with Octopus and GnuPG.
0.9.0 Search in GPG-encrypted password file.
1.1 GnuPG python wrapper.
0.3 A Python module for working with OpenPGP messages
0.9.0 Python support for GPGME GnuPG cryptography library
1.7.1 Python bindings for GPGME GnuPG cryptography library
0.3.9 A wrapper for the Gnu Privacy Guard (GPG or GnuPG)
0.3.5 A wrapper for the Gnu Privacy Guard (GPG or GnuPG)
0.6.7 GPGPU algorithms for PyCUDA and PyOpenCL
0.1 store your secrets using GPG!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 930 bytes
Desc: not available
More information about the Gnupg-devel