File "/usr/lib64/python2.7/site-packages/Crypto/PublicKey/RSA.py", line 393, in decrypt
raise NotImplementedError("Use module Crypto.Cipher.PKCS1_OAEP instead")
NotImplementedError: Use module Crypto.Cipher.PKCS1_OAEP instead
Do we want to keep this package? It seems barely maintained upstream, with a lot of open bugs and an official list of security issues with the design . AFAICS it's only an optional dependency of app-admin/ansible (CC-ing its maintainers).
Depending on how important keyczar is to ansible, I'd say we should either lastrite it, or pass maintenance over to ansible maintainers.
I'm fine with removing support of keyczar from ansible. Pipelining should be used now.
But does removing it break anything for users, or does it switch transparently?
While the upstream sources still reference pycrypto, the sources appear to be fully compatible with pycryptodome. Simply updating ebuild dependencies to reference pycryptodome should be sufficient. Also note that this package will find and prefer m2crypto if installed, in which case it will not use pycrypto(dome) at all.
OK, missed mgorny's comment -- and it looks like it may need a patch for pycryptodome :/ -- working on it...
OK, the code makes extensive use of one of the design patterns in pycrypto that was deprecated in pycryptodome -- the use of .encrypt() and .decrypt() methods. It is possible to get the code working with pycryptodome but would require a significant amount of work. It may be best to deprecate this ebuild as it seems to have some security issues in its general design, so things should be migrating away from it anyway.
dev-python/wheel needs keyrings_alt which needs keyczar
Think of this as an amputation for security reasons and a unwavering commitment to the health of the portage tree. Let's figure out what limb to remove. keyrings_alt simply looks like it offers alternate storage backends for keyring. In theory it should be safe to remove keyczar support from keyrings_alt and not impact wheel. I will research further as it would be lovely to remove keyczar.
OK, as I suspected, support for keyczar in keyrings.alt is just one of its modules. I'll develop a patch for keyrings.alt to remove the keyczar dependency and it looks like keyrings.alt has a hidden dependency on pycrypto as well (at least according to one of its open github issues) so I'll investigate that as well and see if I can address it.
Created attachment 511580 [details, diff]
Remove keyczar support; migrate from pycrypto to pycryptodome.
Attached is a patch which removes keyczar support, migrates keyrings.alt from pycrypto to pycryptodome. Applies against GitHub master https://github.com/jaraco/keyrings.alt 2702f9159502fc784815c50e03002991b6745f19