Hi, TL;DR: Does it make sense to upload the intermediary upstream version 3.4.8 or rather wait for someone to work on the Rust-based later versions?
I'm currently working on the OpenSSL 3.0 transition in Ubuntu, and python-cryptography in its current version in Debian and Ubuntu does not support it[0]. The current version of the package is 3.3.2-1, whereas upstream is at 36.0. Versioning scheme notwithstanding, upstream moves with a rapid pace, since 3.3.2 came out in February 2021. This package has recently gained some notoriety[1] for wanting to use Rust to replace parts of its C core. 3.4 introduces an optional dependency on the Rust toolchain, which became mandatory in 35.0 (think 3.5). Said 35.0 release also brought OpenSSL 3.0 support, which is why I first tried to update the package directly to 35.0 (36.0 wasn't out at the time), but it needs a good few packages that aren't, or weren't at the time, in the Debian archive, with transitive dependencies on crates that aren't necessarily version-compatible with what's currently in Debian. Furthermore, dh-python and pybuild aren't necessarily ready for the setuptools Rust extension. So, instead I opted for packaging the last Rust-optional version, 3.4.8, and backported the necessary OpenSSL 3.0 patches. I posted the result of this work on Salsa[2]. Now that the OpenSSL 3 transition has started in Ubuntu, I plan on uploading this package to our archive as I lack the time to do the necessary work for the Rust enablement, but I'm wondering if it makes sense to do the same in Debian? Cheers, Simon PS: please keep me in CC, as I'm not subscribed to the ML. [0]: https://bugs.launchpad.net/ubuntu/+source/python-cryptography/+bug/1946189 [1]: https://lwn.net/Articles/845535/ [2]: https://salsa.debian.org/python-team/packages/python-cryptography/-/merge_requests/6 -- Simon Chopin Foundations Team Ubuntu MOTU simon.cho...@canonical.com scho...@ubuntu.com
