This one is a puzzler. The package seems to come from https://github.com/niccokunzmann/ecc, which is a fork of https://github.com/amintos/PyECC which says it's been "unmaintained since 2012" and "can be easily broken using side-channel attacks". (To my knowledge we don't use this package for anything security-critical -- though I am not 100% sure that's true.) We can try to re-fork this and bring the code up to date with a modern Python but that choice seems dubious when we could go with a more battle-tested modern Python package.

Ideally I would like to see this replaced with a new package that 1) is compatible with both Python 2 and Python 3 [for the purpose of our transition period], 2) is at feature parity with the old version of ecc, 3) has as few dependencies as possible (especially on C/C++ code) for ease of vendoring, and 4) is well-maintained, hopefully by a person who is knowledgeable about crypto. py-ecc appears to be the closest to meeting all these requirements, but it doesn't support Python 2. If it's feasible to port all the scripts that directly/indirectly depend on ecc to Python 3 in one big patch, then maybe py-ecc can work.

PyECC is not used by anything that must run with both python 2 or 3. I think it doesn't matter if whatever we use as a replacement is python 3-only.

https://hg.mozilla.org/mozilla-central/rev/d5271231b3c0