Path: csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod From: Peter Pentchev Newsgroups: linux.debian.maint.python Subject: Re: Upstream dependency version requirements [Was: Re: review for beets/2.9.0-1] Date: Tue, 05 May 2026 11:50:02 +0200 Message-ID: References: X-Original-To: Jeroen Ploemen X-Mailbox-Line: From debian-python-request@lists.debian.org Tue May 5 09:44:06 2026 Old-Return-Path: X-Amavis-Spam-Status: No, score=-11.899 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -4.6 X-Greylist: delayed 77789 seconds by postgrey-1.36 at bendel; Tue, 05 May 2026 09:43:54 UTC MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3ADb4GyBRP2EPDnn" Content-Disposition: inline X-Mailing-List: archive/latest/23762 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/afm718NZeVJ4aYDL@straylight.m.ringlet.net Approved: robomod@news.nic.it Lines: 68 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: plenae@disroot.org, debian-python@lists.debian.org X-Original-Date: Tue, 5 May 2026 12:43:51 +0300 X-Original-Message-ID: X-Original-References: <20260503154921.59d3b4b8@debian.org> Xref: csiph.com linux.debian.maint.python:17484 --3ADb4GyBRP2EPDnn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 04, 2026 at 03:07:22PM +0300, Peter Pentchev wrote: > On Sun, May 03, 2026 at 03:49:21PM -0000, Jeroen Ploemen wrote: > > hi Pieter, > >=20 > > my review for the beets package: > >=20 > > * control: very specific version requirement for the dependency on > > python3-acoustid (=3D 1.3.1), while the upstream pyproject.toml > > specifies ^1.3.1 (note the caret) which if IIRC translates to > > >=3D1.3.1,<2; > > * control: the build-dep on sphinx <9 has been overtaken by reality, > > with sphinx/9.1.0-1 already in unstable. Build seems to be fine > > with 9.1.0 too though. > >=20 > > For both of the above, it's often an open question whether version > > restrictions declared by upstream are actually hard requirements or > > just a matter of "we prefer to have everyone use the version we > > tested with". >=20 > From my experience with various upstream projects, both individual > authors with varying levels of experience and workflows, and > more complex organizations (e.g. OpenStack), IMHO it is most useful to, > at least initially, "assume good faith" and approach upstream requirements > as follows... So, uh, I just realized (a couple of days later, yeah) that what I wrote may be misinterpreted. I did not in any way mean to criticize Jeroen's words: I did not imply that he advocated not treating upstream requirements in good faith. In my message I did outline a couple of cases in which it is very much advisable to override them. Apologies for any confusion. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@debian.org peter@morpheusly.com PGP key: https://www.ringlet.net/roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --3ADb4GyBRP2EPDnn Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmn5u9IACgkQZR7vsCUn 3xNUOhAAsMAlLFqwgk7YuB0PQk5q02d6xhid1vb3XKufl6bj/IwIBMadE8GdFeHD TWAlgrEPpwehr4iU4N0eiTajnl5e81/QM9WcuP69dK1WgauqpNhVIBBTy9rJCnJ/ M6M0P/8MkiDRMxMuyBSwEVAto8VfRUV3R++QmrypP5ewItxhM9gI0rxfPa+Q09a8 OawsDl2h2rQC0a17HFy3vOP+wUciyL0the0e7FVthqGgUkT/qRnu4FeTRsbBiFRJ q4IsshBJqSi2pW7TPLkdB56Dy+b6z4nYKxM0D1uvwPcGE6VmkuMMt1jGPlkNvb8a eTsxvbwsVxGyo0BUr/VUf4UN6bxnbm/uD2d/qJWRXU4wehmki2Hcj0BpNpE/VvQL 9CH+rClPZh/m5ySKaoTbDHDyb832dORp2jB35JUw/2eRzyL7zBZjsME0cGm7o02n W4xOw4pq7YpTXP6Cz28R6nMkmiBa3g4P0vlHWLYT01b4IrLEpJY/RXUEso7MebhD lD6FC6w65UNP761T9TJqpSQ//hNGVcnvkMCzFtLwnHXcKVKUgG3kTBibxpBu4Zcc 1CC0XYqBZohwNPaPXm3ycblllwOUDgLtaf97j1B7SNNxSrNmarFNm8/haY98tzTa zTErl3TwzIYUyDwUYjPlM7n5Bv04ejo/6VaZ0Mpm1IfLxxrk9sg= =IV8a -----END PGP SIGNATURE----- --3ADb4GyBRP2EPDnn--