fix: adopt uv for dependency management

[thisislawatts]

This PR migrates the Master node from using requirements.txt with pip to using pyproject.toml with uv for modern, faster dependency management.

Changes

• Replaced requirements.txt with pyproject.toml for dependency management
• Updated dependencies: Replaced outdated pycrypto with pycryptodome for better compatibility
• Updated entry point: Modified master.sh to use uv run instead of direct Python calls
• Updated documentation: Minimal changes to README.md to reflect uv usage
• Removed unnecessary files: Deleted __init__.py (not needed for standalone scripts)

Key Benefits

• Faster dependency resolution: uv is significantly faster than pip
• Better dependency management: Lock file ensures reproducible builds
• Modern standards: Uses PEP 621 (pyproject.toml) standard
• Improved compatibility: Updated cryptographic dependencies for modern systems
• Consistent environments: Development and production use the same dependency management

Usage

• Setup: uv sync (instead of pip install -r requirements.txt)
• Run: uv run python master.py --debug --dbfile sample-keydb.txt
• Development: uv run python master.py or uv shell

Breaking Changes

• Requires uv to be installed: curl -LsSf https://astral.sh/uv/install.sh | sh
• Python 3.8+ required (upgraded from 3.7+)

Files Changed

• Master/pyproject.toml (new)
• Master/master.sh (updated)
• README.md (minimal updates)
• Master/requirements.txt (deleted)
• Master/__init__.py (deleted)

This PR modernizes the dependency management while maintaining backward compatibility and improving the overall development experience.

[dirkx]

is there not a more secure way to get 'uv' installed ? E.g. from some managed environment ? That: curl -LsSf https://astral.sh/uv/install.sh | sh looks scary as hell; and seeing that this curl script contains base64 opaque binaries that it then runs: ignore base64 -d > "$_tmp" <<EOF f0VMRgIBAQAAAAAAAAAAAAIAAgEBAAAAeAAgAAAAAABAAAAAAAAAAAAAAAAAAAAAQQAAAEAAOAAB AAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAJAAAAAAAAAAkAAAAAAAAAAAA AQAAAAAABCiAAwUAFQAGABUAByCAAwsYggMAACsAC3iBAwAAKwAxen0n EOF .... chmod u+x "$_tmp" .... "$_tmp" Feels really rather scary ? Dw.

[dirkx]

Yeah I agree on that. We could either manually fetch and verify the artefacts or use ubuntu's snap, https://snapcraft.io/install/astral-uv/ubuntu. Although I am less familiar with that tool. `sudo snap install astral-uv --classic` Cheers, Luke

…

-------- Original Message --------

On 14/06/2025 16:13, Dirk-Willem van Gulik - dirkx at webweaving.org ***@***.***> wrote: This email failed anti-phishing checks when it was received by SimpleLogin, be careful with its content. More info on https://simplelogin.io/docs/getting-started/anti-phishing/ ------------------------------ is there not a more secure way to get 'uv' installed ? E.g. from some managed environment ? That: curl -LsSf https://astral.sh/uv/install.sh | sh looks scary as hell; and seeing that this curl script contains base64 opaque binaries that it then runs: ignore base64 -d > "$_tmp" <<EOF f0VMRgIBAQAAAAAAAAAAAAIAAgEBAAAAeAAgAAAAAABAAAAAAAAAAAAAAAAAAAAAQQAAAEAAOAAB AAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAJAAAAAAAAAAkAAAAAAAAAAAA AQAAAAAABCiAAwUAFQAGABUAByCAAwsYggMAACsAC3iBAwAAKwAxen0n EOF .... chmod u+x "$_tmp" .... "$_tmp" Feels really rather scary ? Dw.

[stormeuh]

In the installation instructions of uv they suggest using pip to install it, would there be a downside to doing that?
Personally I'm not too keen on snaps.

[thisislawatts]

I've put together a script here which can be used to run upgrades of uv.
https://gist.github.com/thisislawatts/4fac9fa61f145512d36721754f165fc6

@stormeuh, do you have any recommended reading around the snaps? I haven't worked with them too much before so unsure of the trade-offs they introduce.