Dependency on cryptography breaks upgrades

Summary

Unfortunately, the maintainers of the pyca/cryptography package have made Rust a hard dependency in newer releases. Since they cut short any discussion about this (not your problem, but a problem for the Python community in general), I was not able to explain to them that a dependency that is required by default and must be manually disabled can be considered a hard dependency.

As a result, updating any package that depends on cryptography breaks. Yours happens to be a widely used one.

It’s not your fault, for which I am sorry. But you can solve this for your package by keeping your requirement on cryptography restricted to versions that do not require Rust.

Issue Type

Bug Report

Component Name

No component

Ansible Version

Any that has an unbounded dependency on cryptography

Configuration

n/a

OS / Environment

any

Steps to Reproduce

pip install -U ansible

Expected Results

I expect ansible to upgrade

Actual Results

Pip fails to install ansible if there is no Rust toolchain installed.

3 thoughts on “Dependency on cryptography breaks upgrades

  1. The cryptography package does not have a hard dependency on that to install. As mentioned in the numerous threads and issues you only need rust if you cannot use their wheels. Ensuring you have a new enough pip version is typically the easiest solution to ensure your Linux distribution can use the wheels automatically.

  2. This is not something we are going to do anything about. Restricting the version ensures that users will get caught by security vulnerabilities in the library.

    Feel free to create your own constraints.txt file, or use OS packaging instead.

    If you have further questions please stop by IRC or the mailing list: