Unmaintained dependencies #440
Comments
|
I am unsure whether any of these issues would immediately be taken care of. I think it is reasonable to try to find a way to remove the openid as a necessary dependency, though I'm not sure how, since most people looking for something to use that functionality with would no longer be using sagenb. I don't know what oldsessions is, but presumably for reloading something? However, sagenb was written to depend fairly heavily on various flask capabilities so I don't know whether one could get rid of all of them very easily. @dimpase thoughts? |
|
Pull requests are welcome, as always. Feel free to try to remove these. |
|
Well, sagenb itself is unmaintained. Why do you complain about its dependencies and not about sagenb itself? |
I'm unsure what you mean by that. Isn't openid more or less only used for public instances? Why would I need it if I run
Good to know. I only want to package it though -- I'm not quite willing to dive into the details of sagenb and flask to fix this. If nobody experienced with it has any input/solution, we'll have to figure out another option to package it or leave it be.
Thats news to me. At least it looks reasonably maintained: last commit this year, multiple posts on the mailing list last year.
Sorry if this seems like pure complaining. I just wanted to forward concerns that came up while packaging in hopes to open a discussion, find solutions or workarounds and hopefully improve the situation for everybody. |
First of all, the fact that software is unmaintained does not need to be a problem. Even unmaintained software can be packaged and installed. So I'm trying to understand why you consider it a problem that sagenb is using unmaintained dependencies but you don't find it a problem that sagenb itself is unmaintained. |
Let's say that sagenb is on life support. We try to keep it working, but we're not making substantial changes. |
The difference is that flask-openid (and python-openid) is security-related software that should not be used because it has unfixed vulnerabilities. |
|
It doesn't help that that there are parts of Sage itself, still, that don't work without One possibility would be to make a new release that simply drops the openid support (unfortunately, but more effort than it's worth to fix). I don't know what flask-oldsessions does but that could probably be worked around as well. |
|
One possibility would be to make a new release that simply drops the
openid support (unfortunately, but more effort than it's worth to fix). I
don't know what flask-oldsessions does but that could probably be worked
around as well.
I think that removing openid is plausible in this context. I don't know
that anyone is (maybe there are some in Spain?) using a recent sagenb
server for OPEN use that anyone with openid would be able to join in any
case.
|
|
For python-openid, https://github.com/ziima/python-openid (https://pypi.org/project/python-openid2/) looks like it could help. |
I'm trying to package this for nixos and there were concerns raised about apparently unmaintained dependencies.
Would you mind commenting on those, if you plan to remove or replace them and if you think the concerns raised are valid?
python-openid (dependency of flask-openid)
NixOS/nixpkgs#38788 (comment)
flask-oldessions
NixOS/nixpkgs#38787 (comment)
Misc
The main maintainer of python packages in nixpkgs would also like to reduce the dependencies on flask extensions in general, if that is possible:
NixOS/nixpkgs#38787 (comment)
The text was updated successfully, but these errors were encountered: