Hi Andreas, > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1718212 > > > > Patch is at https://gist.github.com/dhondta/f71ae7e5c4234f8edfd2f12503a5dcc7 > > I know you are usually pretty quick in solving serious issues. I tried > to check the issue and think the link provided for a patch is just > pointing to a proof of concept exploit. When reading the discussion > here > > https://github.com/davidhalter/parso/issues/75 > > I understand that it is not fixed but the authors do not consider the > issue serious. Could you please give some comment from an insiders > point of view (which I'm not). I'm just caring since several Debian > Science dependencies are about to be removed from testing due to this > bug.
I don't consider it that serious as well. I'll wait for upstream to provide a proper fix. If there will be no such fix in time, I guess I can just disable cache if security team insists. > PS: Is there any reason why this package is not on Salsa and not > team maintained? that's because python-jedi is a mutli-tarball source package and parso was part of it at the beginning. Last time I checked gbp didn't support it (or I don't know how to use it) so it was easier for me to keep it outside DPMT. I guess there's no reason not to move parso into DPMT now.
