Dependency on cryptography package breaks upgrades

[jfinkhaeuser]

Unfortunately, the maintainers of the pyca/cryptography package have made Rust a hard dependency in newer releases. Since they cut short any discussion about this (not your problem, but a problem for the Python community in general), I was not able to explain to them that a dependency that is required by default and must be manually disabled can be considered a hard dependency.

As a result, updating any package that depends on cryptography breaks. Yours happens to be a widely used one.

It's not your fault, for which I am sorry. But you can solve this for your package by keeping your requirement on cryptography restricted to versions that do not require Rust.

Expected Result

When I pip install -U requests[security], the update works.

Actual Result

I get errors that newer versions of the cryptography require a Rust toolchain.

Reproduction Steps

see above.

System Information

various

[jfinkhaeuser]

Relates to pyca/cryptography#5810

[sigmavirus24]

No. In fact, I think we should raise the lower limit to the ones requiring the Rust toolchain. It's significantly more secure which is one of the tenants of this library - maximum security by default for users

[jfinkhaeuser]

Ok.

I disagree. Rust has the potential to introduce more security, but the same was said of Java. We all know how that ended. While Rust is following a different design, it'll take more time to prove its approach.

Well, I raised the issue to the PSF directly, so maybe we'll come back to that. Maybe not.

The problem is that Rust just doesn't support the same range of target platforms that C or C++ do. So this excludes a bunch of e.g. embedded platforms that are currently still viable targets. I don't think that's the right approach for Python as a whole. Hence getting the PSF involved.

But it may be sufficient for requests. At least I'm not going to argue about it here. I tried raising this, if it's rejected then so be it.