pyyaml 6
pyyaml (aka python3-yaml) is an rdepend for >300 packages. We currently have 5.4.1, but version 6 was released late last year, which does quite a lot of cleanup (eg, dropping python 2 support) and disables unsafe loading (arbitrary python code execution) unless explicitly opted into. Unfortunately this is a breaking change for any code which uses the simple `yaml.load(fileobj)` idiom - it now needs to be `yaml.safe_load(fileobj)` or `yaml.load(fileobj, Loader=yaml.SafeLoader)`. I uploaded 6.0 to experimental late last year, but time constraints meant it never got pushed forward. I've recently refreshed the version in experimental (experimental doesn't get binnmus so it was still only built for 3.9), and there are relatively few autopkgtest regressions: https://qa.debian.org/excuses.php?experimental=1&package=pyyaml However, using codesearch suggests there are quite a few places which are likely to break: http://codesearch.debian.net/search?q=yaml%5B.%5Dload%5B%28%5D%5B%5E%2C%5D%2B%5B%29%5D+filetype%3Apython&literal=0&perpkg=1 Some of these are false positives, such as invocations of ruamel.yaml, that string appearing in documentation, or things regex can't catch - but that still looks like it leaves a significant number of packages being potentially broken - and presumably lacking autopkgtest coverage). So, I'd seek some input on how to move forward. * Upload to unstable and see what breaks? * Request an archive rebuild with this version and see what breaks? * File bugs against all likely affected packages with a fixed date for an upload? * Wait until after the freeze? The only bug requesting it actually be upgraded is https://bugs.debian.org/1008262 (for openstack). I don't know if that has proved a hard blocker - I _think_ anything designed to work with 6.x should also work with 5.4. Gordon
Re: pyyaml 6
Hi Gordon, * Gordon Ball [2022-10-07 00:10]: * Upload to unstable and see what breaks? * Request an archive rebuild with this version and see what breaks? * File bugs against all likely affected packages with a fixed date for an upload? * Wait until after the freeze? Considering that PyYAML has been issuing a YAMLLoadWarning since version 5.1 (i.e. September 2019), I would expect that many (most?) reverse dependencies have been fixed, and anything that still breaks is probably in dire need of maintenance anyway. Cheers Timo -- ⢀⣴⠾⠻⢶⣦⠀ ╭╮ ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ ⠈⠳⣄ ╰╯ signature.asc Description: PGP signature
Re: pyyaml 6
On Fri, 2022-10-07 at 00:10 +0200, Gordon Ball wrote: > * Upload to unstable and see what breaks? The experimental pseudo-excuses already say several packages break: https://qa.debian.org/excuses.php?experimental=1&package=pyyaml autopkgtest for ganeti/3.0.2-1: amd64: Regression, arm64: Regression autopkgtest for llvm-toolchain-13/1:13.0.1-7: amd64: Pass, arm64: Regression autopkgtest for satpy/0.37.1-1: amd64: Regression, arm64: Regression autopkgtest for spades/3.15.5+dfsg-1: amd64: Regression So at least these issues need to be investigated and maybe bugs filed. > * Request an archive rebuild with this version and see what breaks? Definitely. > * File bugs against all likely affected packages with a fixed date for > an upload? Definitely. I don't know if any packages in Debian have versioned dependencies on pyyaml, but if they do then it might be worth filing a transition bug. Probably also a good idea to do that anyway too. https://wiki.debian.org/Teams/ReleaseTeam/Transitions There might also be Debian services broken by pyyaml 6, but they can be dealt with during the upgrade of the debian.org machines to bookworm. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
