Hi AntiCompositeNumber,
On 30-03-20 19:35, AntiCompositeNumber wrote:
When did Pywikibot become a package manager?
It's not a package manager, it just expects certain dependencies. If you checked your installed packages using `pip check`, you would get a similar message.
The dependency is requests. It works with old versions, it shouldn't complain about newer ones if old ones work.
Even when I run this on Toolforge I get this warning:
What install method (https://wikitech.wikimedia.org/wiki/Help:Toolforge/Pywikibot) did you use? Are you running from the grid or kubernetes?
Just from a tool account on the commandline so that's the grid.
Why am I getting this 8 line warning message?
You have a dependency that is older than what Pywikibot expects. Various security fixes have occurred in Requests between 2.12.4 and 2.20.1, including at least one (https://nvd.nist.gov/vuln/detail/CVE-2018-18074) with a CVSS score of 9.8 out of 10 (Critical) that could allow your credentials to be transmitted in plaintext.
And you think old packages don't get security updates? Simple search returns https://launchpad.net/ubuntu/+source/requests/2.9.1-3ubuntu0.1 for example for Ubuntu. So if anyone is running this, they get needlessly spammed with this message.
What's the point of this?
To get you to stop using an insecure, out-of-date dependency.
That's the job of the package manager, not of Pywikibot.
Maarten