On 07/10/2022 01:13, Timo Röhling wrote: > Hi Gordon, > > * Gordon Ball <gor...@chronitis.net> [2022-10-07 00:10]: >> * Upload to unstable and see what breaks? >> * Request an archive rebuild with this version and see what breaks? >> * File bugs against all likely affected packages with a fixed date for >> an upload? >> * Wait until after the freeze? > Considering that PyYAML has been issuing a YAMLLoadWarning since > version 5.1 (i.e. September 2019), I would expect that many (most?) > reverse dependencies have been fixed, and anything that still breaks > is probably in dire need of maintenance anyway.
Yes, that's a good point. I've done some more investigation of reverse-depends and looking for likely bad patterns with codesearch.d.n, and the set of packages which A) appear to contain plain `yaml.load(f)` or equivalent, where `yaml` is pyyaml and B) actually depend or build-depend on `python3-yaml` is smaller than I feared. This is what I came up with: ``` ansible # confirm - in ansible_collections/community/general/plugins buildbot # confirm - in porttostable ceph # confirm, in civetweb/third_party/duktape, src/test/crimson docker-compose # confirm, in tests dose3 # confirm, in scripts elasticsearch-curator # confirm, in test/unit etm # confirm, in etmTk/data ganeti # confirm, in qa, test/py gnocchi # confirm, in gnocchi/gendoc gr-dab # confirm, in python/app jeepyb # confirm, in cmd/notify_impact knitpy # confirm, in knitpy labgrid # confirm, in remote/coordinator lecm # confirm, in lecm/configuration lirc # confirm, in lirc/database lqa # confirm, in lqa_api/job open-adventure # confirm, in tests owslib # confirm, in ogcapi policyd-rate-limit # confirm, in config, tests python-aptly # confirm, in publisher python-canmatrix # confirm, in canmatrix/formats/yaml python-multipart # confirm, in multipart/tests python-pybedtools # confirm, in test, contrib python-seqcluster # confirm, in install python-tempestconf # confirm, in config_tempest/profile qcat # confirm, in adapters qcengine # confirm, in config refstack-client # confirm, in refstack_client relatorio # confirm, in templates/chart ripe-atlas-tools # confirm, in tools/settings ros-genpy # confirm, in test ros-rosinstall # confirm, in test, src/rosinstall ros-rosinstall-generator # confirm, in test, src/rosinstall_generator spades # confirm, in assembler/src/test/teamcity, assembler/src/projects/mts, assembler/src/spades_pipeline xrstools # confirm, in WIZARD zlmdb # confirm, in _database ``` I don't know if all these codepaths are actually ever reached, or tests ever run, so the packages won't necessarily break (or the breakage is very minor, such as a single community plugin in ansible). I don't guarantee there are no omissions from the list though. There is a significantly longer list of packages which appear to contain a use of yaml.load _somewhere_, but it is usually in some maintainer/release script, or an optional path somewhere, and the package itself doesn't [build-]depend on python3-yaml. > > > Cheers > Timo >
