On Fri, Feb 04, 2022 at 09:27:59PM +0530, Nilesh Patra wrote: > On 2/4/22 9:18 PM, Julian Gilbey wrote: > > Basically, the mistune upstream author has completely messed up on > > this by making what is essentially a completely different package with > > superficially similar functionality but the same name. > > True. > > [...] > > _mistune.py within the Debian package, > > and have nbconvert do "import nbconvert.filters._mistune as mistune" > > (see /usr/lib/python3/dist-packages/nbconvert/filters/markdown_mistune.py). > > That seems like an eminently sensible solution to this problem. > > But that'd lead to a number of mistune's embedded copies in a huge number of > packages; since majority of > the rev-deps (when I last checked) haven't adapted to this new version. When > they do, > and it becomes a overhead to fix each one later. > Even worse, if we discover a security problem sometime later, then all such > packages would be > effected, and that honestly does not look like a good idea to me.
This is true, though there are only 7 reverse dependencies currently in testing. > I somehow do not understand the urgency of uploading this newer version, as > the maintainer said: > > | I intend to upload src:mistune 2.0.0 to unstable between March the > | 15th and April the 15th (depending on the progress of its > | reverse-dependencies). > > We could simply wait a little more for the dust to settle, IMHO. That would be a reasonable approach, but how long will it take for the dust to settle? With this major change, and no guidance from upstream on how to migrate, and at least a number of upstream authors happy to rely on setup.py having "mistune <1.0.0" in the install_requires field, it might be several months or longer before things are fixed upstream. And what do we do when some packages have converted and some haven't? Best wishes, Julian