[CC Release Team since their opinion/approval is needed] Hello, since requests 1.1.0-1 convenience copy of already packaged libraries are not shipped to follow Policy 4.13. (The package is tested at every rev but manually because tests need Internet connection.) Due to #753578 I added a stub (technically I just used a symlink) to make import requests.packages.urllib3 works. It's used as import location by several projects since it is documented as import location: http://www.python-requests.org/en/latest/user/advanced/#example-specific-ssl-version This lead to #767445 because Python import system doesn't know that urllib3 == requests.packages.urllib3 as described in detail here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767445#10 So packages mixing global urllib3 and requests.packages.urllib3 are possible time bombs. This issue was discussed on IRC[¹] and we came with the following plan[²]: 1) I will do a deep search to discover if other mixed imports (global urllib3 and requests.packages.urllib3) exists in a project and isinstance is used; 2) I will rework my patches to make requests use symlinked urllib3, that is reverting the urllib3 part in 02_use-system-chardet-and-urllib3.patch 3) I will provide help/patches for every packages in Debian that depend on python-requests. Any thoughts is appreciated! Thanks! I'm sorry for the inconvenience, especially considering we are going to freeze in about 30 minutes. :( Kind regards, [¹] Thanks again paultag for pinging me and to everybody (there was also upstream) who joined the conversation. [²] Of course press upstream to get rid of convenience copies is the best solution and upstream is very supportive, but we have to fix this now. -- Daniele Tricoli 'Eriol' http://mornie.org
Description: This is a digitally signed message part.