Too many dependencies

[bmw]

Users/developers have reported that our project has too many Python dependencies. This is related to things being overly complex.

Here is pde's attempt to characterize what our dependencies currently are:

1. Purely for certbot-auto and the things it needs to build, not for
   the python code itself (these no longer apply on recent OSes where we have packages):

   git
   gcc
   python-dev
   libffi-dev
   libssl-dev
   setuptools
   virtualenv

2. Essential OS packages
   python
   openssl

3. Semi-essential OS packages:
   dialog

4. Needed for specific plugins:

   python-psutil (standalone -- see what has bound :80 or :443) (now only "recommended")
   libaugeas0 (apache -- parse & edit conf files)
   python-augeas

5. Python dependencies:

   ConfigArgParse (for reading config files)
   configobj (for writing & reading renewal conf files)
   python-cryptography (>= 0.8)
   PyOpenSSL (>= 0.15) (>= 0.13)
   pythondialog
   ndg-httpsclient (for working around TLS insecurities in older Python versions)
   requests
   six

6. Python dependencies specifically related to time processing. It seems
   absurd that there are four of these:

   werkzeug
   pytz
   parsedatetime
   pyicu (needed by parsedatetime)
   pyrfc3339

7. Python dependencies for python-cryptography:
   idna
   enum34
   ipaddress
   cffi
   pycparser (build dep only, but affects letsencrypt-auto)
   pyasn1

8. These were used to define plugin interfaces. Not sure if that was wise,
   but it's probably annoying to third parties if we ditch them:

   zope.components
   zope.interface
   zope.event

9. Development and doc-building dependencies. For reasons I don't
   yet understand, pip always fetches some of these too:

   mock
   funcsigs (mock depends on this)
   pbr (mock depends on this)
   sphinxdocs

[pde]

We should be able to remove some of them. At some point we could go from needing argparse (which isn't a non-Python dependency), configargparse, and configobj, to needing zero or one of those.

Perhaps we one day we can get rid of PyOpenSSL.

We have three time-related dependencies, pyrfc3339, parsedatetime, pytz. Perhaps we can rationalise those.

[pde]

First small subticket: #1861

[bmw]

To elaborate on @pde's comments (which I moved to the first post in this issue), I tried to characterize some actions we could take to reduce or dependencies. While I believe reducing our dependencies is a worthwhile goal, it is worth noting that it will slow down development on other features of the client.

Remove dependency on git

This is going away in 0.2.0 with the changes to letsencrypt-auto.

Remove psutil, cryptography, and PyOpenSSL

This would be a major change. We currently use the three packages for the following:

psutil

• Used to tell the user what process is listening on the port we want

cryptography

• SHA2
• HMAC
• RSA
  • PSS and PKCS1v15 padding
  • Help with RSA to/from JSON
• Serializing/parsing keys and certs
• Loading/saving/converting keys

PyOpenSSL

• Generating RSA keys
• Serializing/Parsing certs and CSRs
  • Getting data like notBefore/notAfter values from certs
• TLS handshake
• Creating certs/CSRs
• Loading/saving/converting certs and CSRs

Removing psutil may be a minor usability loss and removing cryptography and PyOpenSSL would be a lot of work. We could likely replace all/most of this functionality with calls to the openssl command line. I don't think that's as clean from a code quality perspective, but it would allow us to drastically reduce our dependencies. Removing these three dependencies removes the following additional packages:

OS packages:

• gcc
• python-dev
• libffi-dev
• libssl-dev

Python packages

• idna
• enum34
• ipaddress
• cffi
• pycparser

Consolidate werkzeug, pytz, parsedatetime, and pyrfc3339 into one package

There packages are all for parsing/manipulating dates and may are only used in one or two places in the code. Do we really need four packages for this or can we consolidate them? Their current uses are:

werkzeug (used exactly once in the code)

• parse value of Retry-After header

pytz

• specifying UTC timezone to other libraries

parsedatetime

• determining the difference between two date/times

pyrfc3339

• you guessed it: parse/generate RFC3339 timestamp

Consolidate/remove configargparse/configobj

These packages are both used for processing config files. They do slightly different things, but we could remove configargparse and only use configobj. It'd be slightly hacky and only allows us to drop one package, but we have code that does a lot of what configargparse does using configobj in renewer.py.

With this said, both projects are largely unmaintained and perhaps we should consider other alternatives.

Install pyasn1 and ndg-httpsclient only when needed

These packages are used to fix the InsecurePlatformWarning that occurs while using urllib3 with older versions of Python. We currently always install these packages and doing so is not necessary.

[kuba]

If you want to subprocess everything to openssl binary maybe you should consider switching the default client to C/C++? :P Or maybe Go?

To be clear here, I don't want acme to be using subprocess, so that would have to be a completely new project / library.