begging for pyme name change

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 28 22:22:27 CEST 2016


On Wed 2016-10-26 19:47:11 -0400, Daniel Kahn Gillmor wrote:
> If not, I'm starting to think that python-gpgme2 (along with deprecation
> of all the other bindings) would be the simplest approach toward
> cleaning up the python ecosystem here.

I just looked at https://pypi.python.org/pypi/ (warning! takes a while
to load!) and pulled out all the packages that had either gpg or gnupg
(matched case-insensitively) in their name or their description.

I'd really like to resolve this; if we're considering renaming the
upstream-supported python module, we should do so as soon as possible.
Then we can set about trying to clean up the rest of the ecosystem.

I noticed there is no pypi module just named "gpg".

"pygpg" does produce a module that can be loaded with "import gpg", but
is only a few hundred lines of code, and has received no updates for
over 3 years. Both PyPi and https://github.com/faust/pygpg claim that it
belongs on https://www.abnorm.org/projects/pygpg/, but abnorm.org
appears to have no DNS records, and i suspect the author's e-mail
address (which i'm cc'ing here) will bounce.

In addition to this, pygpg appears to be littered with shell-escape
arbitrary code execution due to its liberal use of Popen:

   https://github.com/faust/pygpg/blob/master/gpg/__init__.py

Anyone using pygpg to deal with remotely untrusted input probably has
serious problems :/

So it seems likely that, as GnuPG upstream, we could simply claim the
"gpg" name on PyPi, and that we could just take over the "gpg" module
name as well.

If we did that, we could then go through the remaining python modules
related to the GnuPG suite and ask them to deprecate or unpublish any
that don't directly use the "gpg" module.  (i don't know how deprecation
or unpublishing works on PyPI, but i guess we could try to figure it
out.

What do folks think of claiming the name "gpg" in the python module
namespace (and in the PyPI source namespace) as a way forward?  I can
provide a patch if people think that's the right thing to do.

     --dkg


PS Here's the list of relevant packages i found:

-----------------
2factorcli
		1.1.3 This is a simple python program to allow you to store and generate time-based one-time passwords in a GPG encrypted vault.
blockstack-gpg
		0.0.13.0 GPG integration for Blockstack client applications
cryptic
		0.0.1 Encrypted messaging using GnuPG
crypto
		1.4.1 Simple symmetric GPG file encryption and decryption
django-gnupg-mails
		0.1 A Django reusable app providing the ability to send PGP/MIME signed multipart emails.
easygpg
		0.0.0
EncryptedGmailBackup
		0.0.4 Backup your GMail account with GPG encryption.
ezgpg
		0.2.2 Simplified GPG UI
gnupg
		2.0.2 A Python wrapper for GnuPG
GnuPGInterface
		0.3.2 GnuPG interactions with file handles
gnupg-securedrop
		1.2.5-9-g6f9d63a-dirty A Python wrapper for GnuPG
gpgdir
		0.1 encrypts the contents of a dir with gpg
gpg-inline
		0.1
gpgkeys
		1.23 A GnuPG Shell
gpglib
		0.1.1 Library for decrypting gpg that doesn't shell out to gpg
gpgmailencrypt
		3.1.0 an e-mail encryption, virus- and spam- checking module, gateway and daemon
gpgmime
		0.1
gpgpass
		0.1.3 Password manager for groups. Searching thru GPG-encrypted password files.
keybone
		0.3.2 Create/Manage/List GPG Keys and Encrypt/Decrypt things with them
keybox-keys
		0.1 Storage for passwords, encrypted with GPG
Krypton
		0.1.2 GPG/PGP Keyserver with many enhancements
mikla
		0.2.1 A command line tool to edit text files encrypted with GnuPG whilst preventing the plaintext from being written to the hard drive.
pearpass
		1.0.2 Scripts for managing secrets with Octopus and GnuPG.
pw
		0.9.0 Search in GPG-encrypted password file.
pygpg
		1.1 GnuPG python wrapper.
pygpgme
		0.3 A Python module for working with OpenPGP messages
pyme
		0.9.0 Python support for GPGME GnuPG cryptography library
pyme3
		1.7.1 Python bindings for GPGME GnuPG cryptography library
python-gnupg
		0.3.9 A wrapper for the Gnu Privacy Guard (GPG or GnuPG)
regnupg
		0.3.5 A wrapper for the Gnu Privacy Guard (GPG or GnuPG)
reikna
		0.6.7 GPGPU algorithms for PyCUDA and PyOpenCL
secret-notes
		0.1 store your secrets using GPG!
-----------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: </pipermail/attachments/20161028/f0bab8d6/attachment.sig>


More information about the Gnupg-devel mailing list