[Python-ideas] More "ensure*" packages

M.-A. Lemburg mal at egenix.com
Sun Aug 16 17:03:54 CEST 2015


On 15.08.2015 04:06, Cory Benfield wrote:
> On 14 August 2015 at 12:41, M.-A. Lemburg <mal at egenix.com> wrote:
>>>> The problem I see with requests is that they sometimes
>>>> have glitches in their releases causing them not to be usable,
>>>> so the version that gets "ensured" would need some extra testing
>>>> by whoever manages the list of packages.
>>>
>>> I'm interested in this. What sort of glitches are we talking about here?
>>
>> E.g. 2.5.2 -> 2.5.3
> 
> For those who don't want to look this up, the error was that we
> updated our bundled certificates, which caused cert validation
> failures on websites offering certain trust chains. This would be
> difficult/impossible to find with pre-release testing, except by sheer
> good luck, because it only affected a small number of websites that
> have no common thread between them. This is inevitable with any form
> of network protocol implementation, sadly: we tend to hit unexpected
> edge cases in our dependencies (in this case, OpenSSL's trust chain
> logic).

Sorry, should have added some more context. Thanks for adding it.

>>> Are they not caught by the requests team's tests? Why would someone else
>>> be able to test it better than them?
>>
>> No, but someone will have to decide which version is stable enough to
>> put into the ensure package.
> 
> I cannot speak for the project yet (all three maintainers are
> currently on holiday, so team communication is not particularly high
> bandwidth at the moment!), but I suspect we'd be really worried about
> any system that does not obtain the most recent release of requests,
> or that cannot respond quickly to security releases in requests.

The problem here is that the ensure package would include
one particular package version and install this per default
(with an option to update it to the most recent release,
if possible during install, as is done for ensurepip in
Python 3.4).

I doubt that people will regularly run a package
update on all their virtualenvs and Python installations to
get the most recent requests version, so this needs to be
taken into account somehow.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 16 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2015-08-12: Released mxODBC 3.3.4 ...             http://egenix.com/go80
2015-08-22: FrOSCon 2015 ...                                6 days to go

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Python-ideas mailing list