Comment 2 for bug 2002821

Review for Package: python-typing-extensions

[Summary]
The overall package looks good and seems fine for a MIR team ACK. However, I have 2 required TODOs: one question to ensure that the rationale is clearer on this package use, and also that we investigate why it’s not been updated in Debian for a while, and the plan for future maintainance then.

Notes:
Required TODOs:
- Question: Please clarify the rationale for this dependency.
the description is as such: "The typing module was added to the standard library in Python 3.5 on a provisional basis and will no longer be provisional in Python 3.7. However,
 this means users of Python 3.5 - 3.6 who are unable to upgrade will not be able to take advantage of new types added to the typing module…"
 However, it’s been long that we are in python 3.7+ as it’s from focal+. So do you plan to backport netplan on even older versions, or is the description mistitled and actually, even more backport happened post 3.7?
- The current release is NOT packaged (4.4.0), which was released quite some months ago: Oct 7, 2022. Any idea when it will hit Debian to ensure this is still actively maintained?

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
- python-typing-extensions checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
 and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have unexpected Built-Using entries
OK:
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
- Does not include vendored code

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
  xml, json, asn.1], network packets, structures, ...) from
  an untrusted source.
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)
- does not deal with cryptography (en-/decryption, certificates, signing, ...)

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error.
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency
- Python package, but using dh_python

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good
- promoting this does not seem to cause issues for MOTUs that so far
- no massive Lintian warnings
- d/rules is rather clean
- It is not on the lto-disabled list

Problems:
- the current release is NOT packaged (4.4.0), which was released quite some months ago: Oct 7, 2022. Any idea when it will hit Debian to ensure this is still actively maintained?

[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks
- no translation present, but none needed for this case