[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rdflib / CVE-2019-7653

Hi Brian,
> Oh, wait, I see. html5lib and SPARQLWrapper are only added in
> install_requires in setup.py for Python2. For Python3 they are not
> added.
> To fix this I could:
> * Patch upstream not to require these libraries for Python2 (assuming
>   that works...)

As in, patch the setup.py? That would curiously appear to be the most
conservative or otherwise least-surprising from the end-users (binary
package) centric point of view.

> Latest patch attached.

Hm, does this not still omit the rationale for the non-trivial changes
to the build system? Or at least it doesn't make the connection very
obvious to someone installing the package. I think that was mostly why
I got sucked into this review in the first place. :)

Best wishes,

     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: