Ave1

The code of PGPy¹ sucks.

A good indication of the quality of a Python package is the 'requirements.txt' file, reproduced here;

cryptography>=1.1
enum34
pyasn1
six>=1.9.0
singledispatch

The cryptography package will need to be reviewed separately. A quick view at the PYPI package index for cryptography is already good for some lulz². The enum34 brings the Python 3 enumeration type to Python 2. Only one object is used from the package pyasn1 and the functionality provided in this object could all have been implemented in an hour in PGPy. If you see six as a requirement, you know you are in trouble. The six package is for when an package author wants to program in Python 2 but also wants to make it's³ program work in Python 3 without any conversion. So six indicates that you will be reading code that is not Python 2 and will use the from future import print_function, the from future import division and more. Any author writing packages requiring six can be safely negrated. The singledistpatch package is again something from Python 3⁴. Based on these requirements alone, I conclude that PGPy sucks.

Next, the types.py file in the pgpy directory. The code in this file failed to run on my systems and so triggered this review. The first class definition therein is an Armorable class. Clearly the authors did not know it is forbidden to define any -able class in Python. The Armorable class contains the full implementation of converting objects into armored⁵ text and vice versa. This is a mistake, as -able stands for Capable of being ..., the being in that fragment will need to be implemented by something else. If something is drinkable it usually does not drink itself, but is has properties that make it drinkable to someone. And which of it's many properties make it drinkable is determined by the drinker not by the drunk. Based on this class alone, I conclude that PGPy sucks.

Two classes in types.py are defined with a meta class (the Armorable and the MetaDispatchable). The whole metaclass mess is defined in PEP-3119. Go and read it if you want to waste your time. The definition of MetaDispatchable provides for an extra complex and custom object-orientation. Remember, we are reviewing a package to handle PGP code. Another strike against PGPy and I will not bore you with more.

1. Yes not pgpy or PGPY but PGPy [↩]
2. The first only example is with a Fernet symmetric encryption recipe as if that is something. [↩]
3. Yes it's [↩]
4. I'm not following Python 3 but clearly the development of Python 3 has gone over the deep end [↩]
5. A PGPism [↩]

This entry was posted on Tuesday, May 29th, 2018 at 12:17 and is filed under PGP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.