Re: rdflib / CVE-2019-7653

To: "Brian May" <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: rdflib / CVE-2019-7653
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 14 Mar 2019 16:56:33 -0400
Message-id: <[🔎] 018c3b39-f00e-4259-a670-ce7787c2b4ca@www.fastmail.com>
In-reply-to: <[🔎] 87pnqvgtqi.fsf@silverfish.pri>
References: <[🔎] 874l8e2xom.fsf@silverfish.pri> <[🔎] 0d6f5ae8-a2cd-4740-95cd-ddb0242aa3cd@www.fastmail.com> <[🔎] 87y35q1fru.fsf@silverfish.pri> <[🔎] 818d0167-e097-4a90-9a73-30724af78699@www.fastmail.com> <[🔎] 87pnqvgtqi.fsf@silverfish.pri>

Hi Brian,
 
> Oh, wait, I see. html5lib and SPARQLWrapper are only added in
> install_requires in setup.py for Python2. For Python3 they are not
> added.
> 
> To fix this I could:
[…]
> * Patch upstream not to require these libraries for Python2 (assuming
>   that works...)

As in, patch the setup.py? That would curiously appear to be the most
conservative or otherwise least-surprising from the end-users (binary
package) centric point of view.

> Latest patch attached.

Hm, does this not still omit the rationale for the non-trivial changes
to the build system? Or at least it doesn't make the connection very
obvious to someone installing the package. I think that was mostly why
I got sucked into this review in the first place. :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

References:
- rdflib / CVE-2019-7653
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>
- Re: rdflib / CVE-2019-7653
  - From: Brian May <bam@debian.org>
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>
- Re: rdflib / CVE-2019-7653
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Newer kernel for jessie backports
Next by Date: Re: Newer kernel for jessie backports
Previous by thread: Re: rdflib / CVE-2019-7653
Next by thread: Re: rdflib / CVE-2019-7653
Index(es):
- Date
- Thread