Re: pyyaml 6

To: debian-python@lists.debian.org
Subject: Re: pyyaml 6
From: Gordon Ball <gordon@chronitis.net>
Date: Sun, 9 Oct 2022 21:39:56 +0200
Message-id: <[🔎] a8ace2d5-1400-9f8c-37f2-e42630b81b7b@chronitis.net>
In-reply-to: <[🔎] 20221006231301.hmps267mjdxp4slc@mail.gaussglocke.de>
References: <[🔎] ea4e5630-2f43-55a3-7126-296cc554ebad@chronitis.net> <[🔎] 20221006231301.hmps267mjdxp4slc@mail.gaussglocke.de>

On 07/10/2022 01:13, Timo Röhling wrote:
> Hi Gordon,
> 
> * Gordon Ball <gordon@chronitis.net> [2022-10-07 00:10]:
>> * Upload to unstable and see what breaks?
>> * Request an archive rebuild with this version and see what breaks?
>> * File bugs against all likely affected packages with a fixed date for
>> an upload?
>> * Wait until after the freeze?
> Considering that PyYAML has been issuing a YAMLLoadWarning since
> version 5.1 (i.e. September 2019), I would expect that many (most?)
> reverse dependencies have been fixed, and anything that still breaks
> is probably in dire need of maintenance anyway.

Yes, that's a good point.

I've done some more investigation of reverse-depends and looking for
likely bad patterns with codesearch.d.n, and the set of packages which
A) appear to contain plain `yaml.load(f)` or equivalent, where `yaml` is
pyyaml and B) actually depend or build-depend on `python3-yaml` is
smaller than I feared. This is what I came up with:

```
ansible # confirm - in ansible_collections/community/general/plugins
buildbot # confirm - in porttostable
ceph # confirm, in civetweb/third_party/duktape, src/test/crimson
docker-compose # confirm, in tests
dose3 # confirm, in scripts
elasticsearch-curator # confirm, in test/unit
etm # confirm, in etmTk/data
ganeti # confirm, in qa, test/py
gnocchi # confirm, in gnocchi/gendoc
gr-dab # confirm, in python/app
jeepyb # confirm, in cmd/notify_impact
knitpy # confirm, in knitpy
labgrid # confirm, in remote/coordinator
lecm # confirm, in lecm/configuration
lirc # confirm, in lirc/database
lqa # confirm, in lqa_api/job
open-adventure # confirm, in tests
owslib # confirm, in ogcapi
policyd-rate-limit # confirm, in config, tests
python-aptly # confirm, in publisher
python-canmatrix # confirm, in canmatrix/formats/yaml
python-multipart # confirm, in multipart/tests
python-pybedtools # confirm, in test, contrib
python-seqcluster # confirm, in install
python-tempestconf # confirm, in config_tempest/profile
qcat # confirm, in adapters
qcengine # confirm, in config
refstack-client # confirm, in refstack_client
relatorio # confirm, in templates/chart
ripe-atlas-tools # confirm, in tools/settings
ros-genpy # confirm, in test
ros-rosinstall # confirm, in test, src/rosinstall
ros-rosinstall-generator # confirm, in test, src/rosinstall_generator
spades # confirm, in assembler/src/test/teamcity,
assembler/src/projects/mts, assembler/src/spades_pipeline
xrstools # confirm, in WIZARD
zlmdb # confirm, in _database
```

I don't know if all these codepaths are actually ever reached, or tests
ever run, so the packages won't necessarily break (or the breakage is
very minor, such as a single community plugin in ansible). I don't
guarantee there are no omissions from the list though.

There is a significantly longer list of packages which appear to contain
a use of yaml.load _somewhere_, but it is usually in some
maintainer/release script, or an optional path somewhere, and the
package itself doesn't [build-]depend on python3-yaml.


> 
> 
> Cheers
> Timo
>

Reply to:

Follow-Ups:
- Re: pyyaml 6
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: pyyaml 6
  - From: Gordon Ball <gordon@chronitis.net>

References:
- pyyaml 6
  - From: Gordon Ball <gordon@chronitis.net>
- Re: pyyaml 6
  - From: Timo Röhling <roehling@debian.org>

Prev by Date: RFS: tkcalendar/1.6.1-1 [ITP] -- Calendar widget for Tkinter
Next by Date: Re: pyyaml 6
Previous by thread: Re: pyyaml 6
Next by thread: Re: pyyaml 6
Index(es):
- Date
- Thread