Hi Colin (2024.11.05_13:54:03_-0800) > I've been working on packaging urllib3 2.2.x, since that seems to be > needed for Python 3.13 support and to fix a CVE (it might be possible to > backport, but ideally I'd prefer us up to date with upstream).
I did this last time, and it looks like all the patches we needed are now upstream, so you get to start from a fresh patch slate :) > Judging by comments in that bug and by > https://src.fedoraproject.org/rpms/python-urllib3/blob/rawhide/f/python-urllib3.spec, > Fedora has taken the approach of bundling a patched hypercorn and using > it during tests. While this is far from ideal, it seems viable to me > given that it's a test-only dependency. So I'm thinking we could do the > same for Debian: either we could just drop the whole thing under > debian/vendor/ or so, or we could package it as a separate .orig > component tarball; since we'd have to make our own tarball for the > latter approach, the former is probably simpler. > > Does this sound reasonable? I'm happy (ish) to do the legwork here. Urgh. Yeah, I think it's reasonable enough to do. Obviously this should go away as soon as it possibly can. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
