1320683 – RPM fails to enforce dependencies declared in python package

Bug 1320683 - RPM fails to enforce dependencies declared in python package

Summary: RPM fails to enforce dependencies declared in python package

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-requests-oauthlib
Sub Component:
Version:	25
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Fedora Infrastructure SIG
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1320686
TreeView+	depends on / blocked

Reported:	2016-03-23 17:41 UTC by John Dennis
Modified:	2017-02-26 00:51 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Clones:	1320686 (view as bug list)
Environment:
Last Closed:	2017-02-26 00:51:15 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Dennis 2016-03-23 17:41:31 UTC

With Python packages the distutils setup.py acts much like an RPM spec file, it contains all sorts of metadata about the package. One critical piece of information is the required dependencies, including required versions of those dependencies.

For example in the requests.oauthlib setup.py file we have:

    install_requires=['oauthlib>=0.6.2', 'requests>=2.0.0']

But the RPM spec file does not enforce the same dependencies. The dependencies in the spec files are this:

For Py2:

Requires:           python-oauthlib
Requires:           python-requests

For Py3:

Requires:           python3-oauthlib
Requires:           python3-requests

The dependencies in the RPM *must* match those declared in the upstream metadata otherwise an install may not produce runnable code. This is the problem we're seeing with some distributions.

oauthlib 0.6.2 exposed new method oauthlib.oauth2.is_secure_transport(), requests-oauthlib references that symbol. But if a version of oauthlib older than 0.6.2 is installed the package installer won't force an update of oauthlib because of the missing version dependency.

The result is the python program aborts.

Comment 1 Fedora Admin XMLRPC Client 2016-04-04 20:33:41 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Ralph Bean 2016-06-28 17:08:20 UTC

While the underlying issue here (dependencies are not constrained the same way upstream specifies them)... we do have python-oauthlib > 0.6.2 in F24 and rawhide now.

Comment 3 Fedora End Of Life 2016-11-24 16:12:24 UTC

This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Kevin Fenzi 2017-02-26 00:51:15 UTC

I've fixed this in rawhide and also updated it to 0.8.0. 

Let me know if you need a f25 build.

Note You need to log in before you can comment on or make changes to this bug.