[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

About requests.packages.urllib3 in Debian

[CC Release Team since their opinion/approval is needed]

since requests 1.1.0-1 convenience copy of already packaged libraries are
not shipped to follow Policy 4.13.
(The package is tested at every rev but manually because tests need
Internet connection.)

Due to #753578 I added a stub (technically I just used a symlink) to make
import requests.packages.urllib3 works.
It's used as import location by several projects since it is documented
as import location:


This lead to #767445 because Python import system doesn't know that 
urllib3 == requests.packages.urllib3 as described in detail here:


So packages mixing global urllib3 and requests.packages.urllib3 are possible
time bombs.

This issue was discussed on IRC[¹] and we came with the following plan[²]:

1) I will do a deep search to discover if other mixed imports (global urllib3 and
   requests.packages.urllib3) exists in a project and isinstance is used;
2) I will rework my patches to make requests use symlinked urllib3, that is reverting the
   urllib3 part in 02_use-system-chardet-and-urllib3.patch
3) I will provide help/patches for every packages in Debian that depend on python-requests.

Any thoughts is appreciated! Thanks!

I'm sorry for the inconvenience, especially considering we are going to freeze
in about 30 minutes. :(

Kind regards,

[¹] Thanks again paultag for pinging me and to everybody
    (there was also upstream) who joined the conversation.
[²] Of course press upstream to get rid of convenience copies is the
    best solution and upstream is very supportive, but we have to fix
    this now.

 Daniele Tricoli 'Eriol'

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: