Bug 1320686

Summary: RPM fails to enforce dependencies declared in python package
Product: [Fedora] Fedora EPEL Reporter: John Dennis <jdennis>
Component: python-requests-oauthlibAssignee: Fedora Infrastructure SIG <infra-sig>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel7CC: extras-qa, puiterwijk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1320683 Environment:
Last Closed: 2024-07-08 22:22:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1320683    
Bug Blocks:    

Description John Dennis 2016-03-23 17:43:24 UTC 
+++ This bug was initially created as a clone of Bug #1320683 +++

With Python packages the distutils setup.py acts much like an RPM spec file, it contains all sorts of metadata about the package. One critical piece of information is the required dependencies, including required versions of those dependencies.

For example in the requests.oauthlib setup.py file we have:

    install_requires=['oauthlib>=0.6.2', 'requests>=2.0.0']

But the RPM spec file does not enforce the same dependencies. The dependencies in the spec files are this:

For Py2:

Requires:           python-oauthlib
Requires:           python-requests

For Py3:

Requires:           python3-oauthlib
Requires:           python3-requests

The dependencies in the RPM *must* match those declared in the upstream metadata otherwise an install may not produce runnable code. This is the problem we're seeing with some distributions.

oauthlib 0.6.2 exposed new method oauthlib.oauth2.is_secure_transport(), requests-oauthlib references that symbol. But if a version of oauthlib older than 0.6.2 is installed the package installer won't force an update of oauthlib because of the missing version dependency.

The result is the python program aborts.
Comment 2 Troy Dawson 2024-07-08 22:22:28 UTC 
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug.