Cryptography: cffi version mismatch installing cryptography
All 8 comments
This appears to be a problem with the way cffi is upgrading via pip/setuptools and not anything directly related to cryptography (which only requires >=1.1.0). /cc @dstufft as I'm guessing he'll know what happened here.
reaperhulk
on 23 Nov 2015
Hey Ian!
Does this reproduce if you drop the -t lib/?
alex
on 24 Nov 2015
Hey Alex, it seems to. :(
On Mon, Nov 23, 2015 at 6:45 PM Alex Gaynor [email protected]
wrote:
Hey Ian!
Does this reproduce if you drop the -t lib/?
—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/issues/2491#issuecomment-159106028.
ianloic
on 24 Nov 2015
@ianloic What OS are you running this on?
dstufft
on 24 Nov 2015
Debian unstable.
On Tue, Nov 24, 2015 at 2:25 PM Donald Stufft [email protected]
wrote:
@ianloic https://github.com/ianloic What OS are you running this on?
—
Reply to this email directly or view it on GitHub
https://github.com/pyca/cryptography/issues/2491#issuecomment-159379869.
ianloic
on 24 Nov 2015
Ok. I've reproduced the error and I know why it happens.
Basically, the CFFI library ships a single package on PyPI which has both build time and runtime components and there is a strict requirement that the two versions match. Debian has taken that single library and split it into two pieces, the build time and runtime components and made it so that you can install _only_ the runtime component without the build time component.
Then what happens is when pip attempts to install cryptography it downloads the CFFI from PyPI (which is now a newer version of CFFI than what you have in Debian unstable) and installs it. Then when it attempts to actually import it, it gets the runtime components from Debian but the build time components from PyPI which are not compatible and it blows up.
The quick fix is to run apt-get install python-cffi to also install the build time components from Debian so pip won't attempt to install them from PyPI. The longer term fix is going to require talking to Debian and figuring out what (if anything) they want to do about it.
dstufft
on 24 Nov 2015
Closing this since it's not an issue cryptography can control -- I'd suggest raising this with Debian with Donald's information so they can start thinking about what (if anything) they want to do.
reaperhulk
on 2 Dec 2015
Very helpful, thank you @dstufft
j10sanders
on 23 Oct 2016
Related issues
clarius-deploy
·
22Comments
chitoge
·
26Comments
ShaneHarvey
·
20Comments
mgorny
·
179Comments
mhils
·
28Comments
Most helpful comment
Ok. I've reproduced the error and I know why it happens.
Basically, the CFFI library ships a single package on PyPI which has both build time and runtime components and there is a strict requirement that the two versions match. Debian has taken that single library and split it into two pieces, the build time and runtime components and made it so that you can install _only_ the runtime component without the build time component.
Then what happens is when pip attempts to install cryptography it downloads the CFFI from PyPI (which is now a newer version of CFFI than what you have in Debian unstable) and installs it. Then when it attempts to actually import it, it gets the runtime components from Debian but the build time components from PyPI which are not compatible and it blows up.
The quick fix is to run
apt-get install python-cffito also install the build time components from Debian so pip won't attempt to install them from PyPI. The longer term fix is going to require talking to Debian and figuring out what (if anything) they want to do about it.