Source: python-urllib3 Version: 2.0.7-2 Severity: normal X-Debbugs-Cc: Daniele Tricoli <er...@debian.org>
I've been working on packaging urllib3 2.2.x, since that seems to be needed for Python 3.13 support and to fix a CVE (it might be possible to backport, but ideally I'd prefer us up to date with upstream). I noticed that we needed to package quart-trio, so I've done that. Now I have a new problem. https://github.com/urllib3/urllib3/issues/3334 describes this quite well from the Fedora point of view: urllib3's test suite needs a patched hypercorn, and upstream seems to think this is worth it. Judging by comments in that bug and by https://src.fedoraproject.org/rpms/python-urllib3/blob/rawhide/f/python-urllib3.spec, Fedora has taken the approach of bundling a patched hypercorn and using it during tests. While this is far from ideal, it seems viable to me given that it's a test-only dependency. So I'm thinking we could do the same for Debian: either we could just drop the whole thing under debian/vendor/ or so, or we could package it as a separate .orig component tarball; since we'd have to make our own tarball for the latter approach, the former is probably simpler. Does this sound reasonable? I'm happy (ish) to do the legwork here. Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]
