Path: csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod
From: Stefano Rivera <stefanor@debian.org>
Newsgroups: linux.debian.maint.python,linux.debian.bugs.dist
Subject: Re: Bug#1115706: Not installable with python3-cryptography >= 44
Date: Fri, 19 Sep 2025 17:30:01 +0200
Message-ID: <LwLdD-gzxE-7@gated-at.bofh.it>
References: <LwElQ-guYd-3@gated-at.bofh.it> <LwIz7-gxBR-11@gated-at.bofh.it> <LwElQ-guYd-3@gated-at.bofh.it> <LwIIN-gxFI-1@gated-at.bofh.it> <LwJbP-gy7c-3@gated-at.bofh.it>
X-Mailbox-Line: From debian-python-request@lists.debian.org  Fri Sep 19 15:25:40 2025
Old-Return-Path: <stefano@rivera.za.net>
X-Amavis-Spam-Status: No, score=-105.389 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FOURLA=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SARE_MSGID_LONG45=0.893, SARE_MSGID_LONG50=0.726, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=no autolearn_force=no
X-Policyd-Weight: using cached result; rate:hard: -4.6
X-Greylist: delayed 510 seconds by postgrey-1.36 at bendel; Fri, 19 Sep 2025 15:25:24 UTC
Mail-Followup-To: Simon Josefsson <simon@josefsson.org>, debian-python@lists.debian.org, Andrey Rakhmatullin <wrar@debian.org>, 1115706@bugs.debian.org
X-Gpg-Public-Key: http://www.rivera.za.net/stefano.gpg
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
User-Agent: NeoMutt/20250510
X-Mailing-List: <debian-python@lists.debian.org> archive/latest/23262
List-ID: <debian-python.lists.debian.org>
List-URL: <https://lists.debian.org/debian-python/>
List-Archive: https://lists.debian.org/msgid-search/mon3rw63gwfadrftvfozzxai3z4nqxvnite7so6dputkwze424@6xqxmscqirtu
Approved: robomod@news.nic.it
Lines: 28
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: debian-python@lists.debian.org, Andrey Rakhmatullin <wrar@debian.org>, 1115706@bugs.debian.org
X-Original-Date: Fri, 19 Sep 2025 15:16:29 +0000
X-Original-Message-ID: <mon3rw63gwfadrftvfozzxai3z4nqxvnite7so6dputkwze424@6xqxmscqirtu>
X-Original-References: <175826922917.2039399.2302457106203823282.reportbug@belkar.wrar.name> <87348i39kh.fsf@josefsson.org> <175826922917.2039399.2302457106203823282.reportbug@belkar.wrar.name> <aM1Qt4GZSnHYbN7M@belkar.wrar.name> <87wm5u1tc7.fsf@josefsson.org>
Xref: csiph.com linux.debian.maint.python:17079 linux.debian.bugs.dist:1262241

Hi Simon (2025.09.19_13:10:16_+0000)
>Does anyone have thoughts on why some python packages use << versioning
>on build dependencies even when there are no such versions released?

You sometimes see this. It's over-protective IMHO.

We don't always do this. Packages need to declare PEP386 (in practice 
PEP440) compliance for dh_python3 to do this. Or you have to pass 
--accept-upstream-versions.
That's probably worth re-visiting, because everything is PEP440 
compliant, these days.

>If this a python cultural upstream thing, is this something that should
>be mirrored in Debian's Depends: versioning?

It's problematic for us to not mirror it, because then you can have 
packages installed that don't have their dependencies met. pip doesn't 
like that. pkg_resources (IIRC) used to also get quite up set about it.

So, typically patching the upstream dependencies is appropriate in these 
situations.

Stefano

-- 
Stefano Rivera
   http://tumbleweed.org.za/
   +1 415 683 3272