Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.python > #17078
| Path | csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod |
|---|---|
| From | Simon Josefsson <simon@josefsson.org> |
| Newsgroups | linux.debian.maint.python, linux.debian.bugs.dist |
| Subject | Re: Bug#1115706: Not installable with python3-cryptography >= 44 |
| Date | Fri, 19 Sep 2025 15:20:02 +0200 |
| Message-ID | <LwJbP-gy7c-3@gated-at.bofh.it> (permalink) |
| References | <LwElQ-guYd-3@gated-at.bofh.it> <LwIz7-gxBR-11@gated-at.bofh.it> <LwElQ-guYd-3@gated-at.bofh.it> <LwIIN-gxFI-1@gated-at.bofh.it> |
| X-Original-To | debian-python@lists.debian.org, Andrey Rakhmatullin <wrar@debian.org> |
| X-Mailbox-Line | From debian-python-request@lists.debian.org Fri Sep 19 13:10:35 2025 |
| Old-Return-Path | <simon@josefsson.org> |
| X-Amavis-Spam-Status | No, score=-14.5 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no |
| X-Policyd-Weight | using cached result; rate: -4.6 |
| Openpgp | id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt |
| X-Hashcash | 1:23:250919:wrar@debian.org::nTgQymBQyB3rt/KO:0D+bn |
| X-Hashcash | 1:23:250919:1115706@bugs.debian.org::RtlZQpXvJv8OwYU6:1F190 |
| X-Hashcash | 1:23:250919:debian-python@lists.debian.org::pRDoPZbGj9zhZbyY:K7Uo |
| User-Agent | Gnus/5.13 (Gnus v5.13) |
| MIME-Version | 1.0 |
| Content-Type | multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" |
| X-Mailing-List | <debian-python@lists.debian.org> archive/latest/23261 |
| List-ID | <debian-python.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-python/> |
| List-Archive | https://lists.debian.org/msgid-search/87wm5u1tc7.fsf@josefsson.org |
| Approved | robomod@news.nic.it |
| Lines | 72 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | 1115706@bugs.debian.org |
| X-Original-Date | Fri, 19 Sep 2025 15:10:16 +0200 |
| X-Original-Message-ID | <87wm5u1tc7.fsf@josefsson.org> |
| X-Original-References | <175826922917.2039399.2302457106203823282.reportbug@belkar.wrar.name> <87348i39kh.fsf@josefsson.org> <175826922917.2039399.2302457106203823282.reportbug@belkar.wrar.name> <aM1Qt4GZSnHYbN7M@belkar.wrar.name> |
| Xref | csiph.com linux.debian.maint.python:17078 linux.debian.bugs.dist:1262225 |
Cross-posted to 2 groups.
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Debian-python, Does anyone have thoughts on why some python packages use << versioning on build dependencies even when there are no such versions released? If this a python cultural upstream thing, is this something that should be mirrored in Debian's Depends: versioning? I'm guessing an upstream may want to protect against some potential future API break with a future version of some build dependency, to be certain to notice when upstream bumps versions and get a hard failure to be able to resolve things, but I'm guessing this probably does more damage than good if mirrored in the Debian versioning. Which happened now for yubikey-manager. I've not seen this used in other language ecosystems as much. But I may be missing something. Of course, if there is a KNOWN problem with a more recent version of some package, then a << dependency is fully appropriate. Btw, I just realized that maybe yubikey-manager could be team-maintained by the python team rather than the pkg-security team that I just nudged it into, I suppose people here will have more knowledge about python stuff than on pkg-security. /Simon Andrey Rakhmatullin <wrar@debian.org> writes: > On Fri, Sep 19, 2025 at 02:34:22PM +0200, Simon Josefsson wrote: >>> Note that the upstream pyproject.toml has "cryptography (>=3.0, <48)". >> >>I made a quick upload bumping <<44 to <<48. >> >>However why would one want to have these << dependencies? I guess they >>are mirroring upstream pyproject.toml, but I still don't understand the >>reason. > > It's an interesting question for which I don't have an answer, even > pyopenssl (notably maintained by the same PyCA as cryptography itself) > has a regularly bumped upper dep on cryptography. E.g. the recently > released 25.3.0 has the bump as the only change.
Back to linux.debian.maint.python | Previous | Next — Next in thread | Find similar
Re: Bug#1115706: Not installable with python3-cryptography >= 44 Simon Josefsson <simon@josefsson.org> - 2025-09-19 15:20 +0200
Re: Bug#1115706: Not installable with python3-cryptography >= 44 Stefano Rivera <stefanor@debian.org> - 2025-09-19 17:30 +0200
Re: Bug#1115706: Not installable with python3-cryptography >= 44 Stefano Rivera <stefanor@debian.org> - 2025-09-19 18:00 +0200
Re: Bug#1115706: Not installable with python3-cryptography >= 44 Simon Josefsson <simon@josefsson.org> - 2025-09-19 18:30 +0200
csiph-web