[CC Release Team since their opinion/approval is needed]
Hello,
since requests 1.1.0-1 convenience copy of already packaged libraries are
not shipped to follow Policy 4.13.
(The package is tested at every rev but manually because tests need
Internet connection.)
Due to #753578 I added a stub (technically I just used a symlink) to make
import requests.packages.urllib3 works.
It's used as import location by several projects since it is documented
as import location:
http://www.python-requests.org/en/latest/user/advanced/#example-specific-ssl-version
This lead to #767445 because Python import system doesn't know that
urllib3 == requests.packages.urllib3 as described in detail here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767445#10
So packages mixing global urllib3 and requests.packages.urllib3 are possible
time bombs.
This issue was discussed on IRC[¹] and we came with the following plan[²]:
1) I will do a deep search to discover if other mixed imports (global urllib3 and
requests.packages.urllib3) exists in a project and isinstance is used;
2) I will rework my patches to make requests use symlinked urllib3, that is reverting the
urllib3 part in 02_use-system-chardet-and-urllib3.patch
3) I will provide help/patches for every packages in Debian that depend on python-requests.
Any thoughts is appreciated! Thanks!
I'm sorry for the inconvenience, especially considering we are going to freeze
in about 30 minutes. :(
Kind regards,
[¹] Thanks again paultag for pinging me and to everybody
(there was also upstream) who joined the conversation.
[²] Of course press upstream to get rid of convenience copies is the
best solution and upstream is very supportive, but we have to fix
this now.
--
Daniele Tricoli 'Eriol'
http://mornie.orgAttachment:
signature.asc
Description: This is a digitally signed message part.