Re: Please make a separate package for mistune 2.x

To: Nilesh Patra <nilesh@tchncs.de>
Cc: Julian Gilbey <julian@d-and-j.net>, "Michael R. Crusoe" <crusoe@debian.org>, 1003567@bugs.debian.org, debian-python@lists.debian.org
Subject: Re: Please make a separate package for mistune 2.x
From: Pierre-Elliott Bécue <peb@debian.org>
Date: Sat, 05 Feb 2022 22:45:24 +0100
Message-id: <[🔎] 87sfsxc7ga.fsf@jaatynyt>
In-reply-to: <[🔎] f0b902ab-20bb-4914-4f4b-cda7c69a7cff@tchncs.de>
References: <20220111213844.BE33D2C006E@pimeys.fr> <ff46079a-b1d9-861e-9399-fe94d3b4dcca@debian.org> <[🔎] 878rurbmr3.fsf@jaatynyt> <[🔎] Yf1K5I9AHqJbaXVh@d-and-j.net> <[🔎] ad606783-dd57-fbb5-ba4c-8ad8768e696e@tchncs.de> <[🔎] Yf7HEu0ve0ZU5osj@d-and-j.net> <[🔎] f0b902ab-20bb-4914-4f4b-cda7c69a7cff@tchncs.de>

Nilesh Patra <nilesh@tchncs.de> wrote on 05/02/2022 at 20:23:44+0100:

> [[PGP Signed Part:No public key for 00BAE74B343369F1 created at 2022-02-05T20:23:44+0100 using RSA]]
> On 2/6/22 12:20 AM, Julian Gilbey wrote:
>> On Fri, Feb 04, 2022 at 09:27:59PM +0530, Nilesh Patra wrote:
>>> On 2/4/22 9:18 PM, Julian Gilbey wrote:
>>>> [...]
>>>> _mistune.py within the Debian package,
>>>> and have nbconvert do "import nbconvert.filters._mistune as mistune"
>>>> (see /usr/lib/python3/dist-packages/nbconvert/filters/markdown_mistune.py).
>>>> That seems like an eminently sensible solution to this problem.
>>>
>>> But that'd lead to a number of mistune's embedded copies in a huge number of packages; since majority of
>>> the rev-deps (when I last checked) haven't adapted to this new version. When they do,
>>> and it becomes a overhead to fix each one later.
>>> Even worse, if we discover a security problem sometime later, then all such packages would be
>>> effected, and that honestly does not look like a good idea to me.
>> I have just had another idea, which might solve all of the problems:
>> create a new Debian package called mistune0 (or mistune1), which
>> contains the legacy version of mistune, but with the Python module
>> called "mistune0" instead of "mistune".  Then it will be
>> co-installable with mistune 2.x, and the packages which still depend
>> on mistune 0.8.4 could be patched to say "import mistune0 as mistune"
>> until they are updated upstream.  This will also avoid having multiple
>> copies of the legacy code in the archive, which addresses the security
>> issue, and allow those packages which have migrated to mistune 2.x to
>> still say "import mistune".
>
> Ah, looks like we just had to think in the reverse direction from the initial proposal (mistune-{0,1} instead of mistune-{1,2}).
> Indeed, that sounds like a much better plan.
> I hope PEB agrees with this as well, would like to hear from them :)
>
> Thanks for the discussion, Julian :)
>
> Regards,
> Nilesh

I'd like other python team member's opinion on this, and I'm not eager
to maintain that legacy package, as I tend to not want to maintain
obsolete software. Still, I can do the initial work of creating it.

-- 
PEB

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Please make a separate package for mistune 2.x
  - From: Sandro Tosi <morph@debian.org>

References:
- Re: Please make a separate package for mistune 2.x
  - From: Pierre-Elliott Bécue <peb@debian.org>
- Re: Please make a separate package for mistune 2.x
  - From: Julian Gilbey <julian@d-and-j.net>
- Re: Please make a separate package for mistune 2.x
  - From: Nilesh Patra <nilesh@tchncs.de>
- Re: Please make a separate package for mistune 2.x
  - From: Julian Gilbey <julian@d-and-j.net>
- Re: Please make a separate package for mistune 2.x
  - From: Nilesh Patra <nilesh@tchncs.de>

Prev by Date: Bug#1005043: lintian: check that Python version numbers are not 0.0.0
Next by Date: Re: Please make a separate package for mistune 2.x
Previous by thread: Re: Please make a separate package for mistune 2.x
Next by thread: Re: Please make a separate package for mistune 2.x
Index(es):
- Date
- Thread