[openstack-dev] [PKG-Openstack-devel] Bug#755315: [Trove] Should we stop using wsgi-intercept, now that it imports from mechanize? this is really bad!
Thomas Goirand
zigo at debian.org
Tue Jul 29 08:38:40 UTC 2014
On 07/28/2014 04:04 AM, Chris Dent wrote:
> On Mon, 28 Jul 2014, Thomas Goirand wrote:
>
>> That's exactly the version which I've been looking at. The thing is,
>> when I run the unit test with that version, it just bombs on me because
>> mechanize isn't there.
>
> How would you feel about it being optionally available and for the tests
> for mechanize to only run for it if someone has aleady preinstalled
> mechanize? That is the tests will skip if import mechanize is an
> ImportError?
>
> While I'm not in love with mechanize, if it is a tool that _some_
> people use, then I don't want wsgi-intercept to not be useful to them.
>
>> Please let me know if you can release a new version of wsgi-intercept
>> cleaned from any trace of mechanize, or if you think this can't be done.
>
> Let me know if the above idea can't work. Depending on your answer
> I'll either release a version as described, or go ahead and flush it.
> If you get back to me by tomorrow morning (UTC) I can probably get the new
> version out tomorrow too.
Hi,
Sorry, I couldn't reply earlier.
Well, if at least mechanize really becomes optional, which means: no
issue when running unit tests without it, and no issue when using it,
then it may be ok from my point of view (eg: I wouldn't complain that
much about it).
However, from *your* perspective, I wouldn't advise that you keep using
such a dangerous, badly maintained Python module. Saying that it's
optional may look like you think mechanize is ok and you are vouching
for it, when it really shouldn't be the case. Having clean, well
maintained dependencies, is IMO very important for a given python
module. It shows that you care no bad module gets in.
Let me know whenever you have a new release, without mechanize as new
dependency, or with it being optional.
Cheers,
Thomas Goirand (zigo)
More information about the OpenStack-dev
mailing list