[Python-ideas] More "ensure*" packages
Cory Benfield
cory at lukasa.co.uk
Sat Aug 15 04:06:44 CEST 2015
On 14 August 2015 at 12:41, M.-A. Lemburg <mal at egenix.com> wrote:
>>> The problem I see with requests is that they sometimes
>>> have glitches in their releases causing them not to be usable,
>>> so the version that gets "ensured" would need some extra testing
>>> by whoever manages the list of packages.
>>
>> I'm interested in this. What sort of glitches are we talking about here?
>
> E.g. 2.5.2 -> 2.5.3
For those who don't want to look this up, the error was that we
updated our bundled certificates, which caused cert validation
failures on websites offering certain trust chains. This would be
difficult/impossible to find with pre-release testing, except by sheer
good luck, because it only affected a small number of websites that
have no common thread between them. This is inevitable with any form
of network protocol implementation, sadly: we tend to hit unexpected
edge cases in our dependencies (in this case, OpenSSL's trust chain
logic).
>> Are they not caught by the requests team's tests? Why would someone else
>> be able to test it better than them?
>
> No, but someone will have to decide which version is stable enough to
> put into the ensure package.
I cannot speak for the project yet (all three maintainers are
currently on holiday, so team communication is not particularly high
bandwidth at the moment!), but I suspect we'd be really worried about
any system that does not obtain the most recent release of requests,
or that cannot respond quickly to security releases in requests.
Cory
More information about the Python-ideas
mailing list