Re: Please make a separate package for mistune 2.x

[Julian Gilbey <julian@d-and-j.net>]

On Fri, Feb 04, 2022 at 09:27:59PM +0530, Nilesh Patra wrote:
> On 2/4/22 9:18 PM, Julian Gilbey wrote:
> > Basically, the mistune upstream author has completely messed up on
> > this by making what is essentially a completely different package with
> > superficially similar functionality but the same name.
> 
> True.
> > [...]
> > _mistune.py within the Debian package,
> > and have nbconvert do "import nbconvert.filters._mistune as mistune"
> > (see /usr/lib/python3/dist-packages/nbconvert/filters/markdown_mistune.py).
> > That seems like an eminently sensible solution to this problem.
> 
> But that'd lead to a number of mistune's embedded copies in a huge number of packages; since majority of
> the rev-deps (when I last checked) haven't adapted to this new version. When they do,
> and it becomes a overhead to fix each one later.
> Even worse, if we discover a security problem sometime later, then all such packages would be
> effected, and that honestly does not look like a good idea to me.

This is true, though there are only 7 reverse dependencies currently
in testing.

> I somehow do not understand the urgency of uploading this newer version, as the maintainer said:
> 
> | I intend to upload src:mistune 2.0.0 to unstable between March the
> | 15th and April the 15th (depending on the progress of its
> | reverse-dependencies).
> 
> We could simply wait a little more for the dust to settle, IMHO.

That would be a reasonable approach, but how long will it take for the
dust to settle?  With this major change, and no guidance from upstream
on how to migrate, and at least a number of upstream authors happy to
rely on setup.py having "mistune <1.0.0" in the install_requires
field, it might be several months or longer before things are fixed
upstream.  And what do we do when some packages have converted and
some haven't?

Best wishes,

   Julian