[MIR] soupsieve (dependency of beautifulsoup4)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
backports.functools-lru-cache (Ubuntu) |
Fix Released
|
Undecided
|
Joshua Powers | ||
soupsieve (Ubuntu) |
Fix Released
|
Undecided
|
Joshua Powers |
Bug Description
[Availability]
From Debian. Bootstrapped in disco.
[Rationale]
beautifulsoup4 4.7 introduced soupsieve as a new dependency. This is replacing the same functionality that used to be part of beautifulsoup4 itself.
[Security]
This is a Python library, with no binaries on PATH.
It's relatively young, with a spotless security history, so far.
[Quality assurance]
It's a library. No configuration, no debconf questions.
There's a fairly extensive test-suite, run at build-time and as autopkgtests.
http://
(Currently failing because this MIR isn't through yet and there's a missing versioned dependency in the autopkgtest. Fixed in -3)
[Dependencies]
The Python2 binary packages depend on backports.
[Standards compliance]
It's a Python library, lintian-clean.
[Maintenance]
Expected to just be synced from Debian.
[Background information]
Probably promote python-soupsieve, python-
Changed in backports.functools-lru-cache (Ubuntu): | |
assignee: | nobody → MIR approval team (ubuntu-mir) |
assignee: | MIR approval team (ubuntu-mir) → nobody |
Changed in soupsieve (Ubuntu): | |
assignee: | MIR approval team (ubuntu-mir) → nobody |
description: | updated |
summary: |
- [MIR] soupsieve + [MIR] soupsieve (dependency of beautifulsoup4) |
description: | updated |
Changed in soupsieve (Ubuntu): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
tags: | removed: server-triage-discuss |
FYI some references: /bugs.launchpad .net/ubuntu/ +source/ beautifulsoup/ +bug/492560 /bugs.launchpad .net/ubuntu/ +source/ beautifulsoup4/ +bug/1252623
- initial beautifulsoup MIR https:/
- switching to beautifulsoup4 https:/
Ack on the rationale, here the ref's of both projects [1][2] for this switch.
But this will need to go through the security Team's review (again) as it is not copying the former code from beautifulsoup4 as-is but is "a more complete CSS selector implementation".
I agree that the autopkgtests are extensive (good) but currently fail on all architectures.
That should be resolved so that there is a good baseline and broken uploads will be gated.
Seems to be the same set of errors in py2 and the py3 case.
The License was confusing at first using the ambiguous MIT license term in the project itself, but the package correctly identified it as the Expat license so things are ok here.
There is some minor packaging issues which would be nice to be resolved, but are not critical. contains- empty-directory docs/theme/ (and it makes the tarball mismatch the packaging git) 9.css
=> source-
The upstream tarball at [3] has content in that directory
$ ll docs/theme/
-rw-rw-r-- 1 paelzer paelzer 1168 Jan 23 07:16 extra-0b9b22dd13.js
-rw-rw-r-- 1 paelzer paelzer 7006 Jan 23 07:16 extra-83f68d2c5
So I assume that is part of the +dfsg packaging and should be improved just to be sure.
Further ok checks:
- Since the new beautifulsoup drops that function I see no code duplication issue.
- no embedded remote sources nor static linking
- dh-python is used
I currently see both main packages in main: git/development :54: * python3-webtest
- python-bs4
- python3-bs4
But the new python-bs4 will pull python2 elements into main.
py2 dependencies in main are actively removed fromt he archive one by one and it is discouraged for new MIRs. And python-bs4 would depend on the py2 python-soupsieve.
I only found this in the seeds (referring to the old MIR)
ubuntu-
And that only pulls in python3-bs4 which would be ok.
I checked and currently (disco) python-lxml is pulling python-bs4 into main.
That dependency should be broken if possible to not add (semi-)new python2 dependencies.
I saw no team subscriber to the package yet, but that is a requirement for the MIR process.
Please get a Team to own (state it here) and subscribe to the package for maintenance.
Other than that this LGTM and IMHO this could go on as a MIR once the findings above are resolved.
[1]: https:/ /facelessuser. github. io/soupsieve/ /bazaar. launchpad. net/~leonardr/ beautifulsoup/ bs4/view/ head:/CHANGELOG #L16 /pypi.debian. net/soupsieve/ soupsieve- 1.7.3.tar. gz
[2]: https:/
[3]: https:/
Summary:
- @requestor: please resolve the autopkgtest failures
- @requestor: get a team to ack owning and subscribing to the package
- @requestor: break the dependency python-lxml -> python-bs4 -> python-soupsieve to not pull new py2 code into main
- Once the above is resolved it can enter the review queue of the security Team