Hi everyone,
When did Pywikibot become a package manager? Even when I run this on Toolforge I get this warning:
"""(requests 2.12.4 (/usr/lib/python3/dist-packages), Requirement.parse('requests>=2.20.1; python_version != "3.4"'))
A package necessary for pywikibot is outdated. Please update required module with:
pip install "requests>=2.20.1"
You may continue on your own risk; type CTRL-C to stop."""
Why am I getting this 8 line warning message? What's the point of this?
Maarten
When did Pywikibot become a package manager?
It's not a package manager, it just expects certain dependencies. If you checked your installed packages using `pip check`, you would get a similar message.
Even when I run this on Toolforge I get this warning:
What install method (https://wikitech.wikimedia.org/wiki/Help:Toolforge/Pywikibot) did you use? Are you running from the grid or kubernetes?
Why am I getting this 8 line warning message?
You have a dependency that is older than what Pywikibot expects. Various security fixes have occurred in Requests between 2.12.4 and 2.20.1, including at least one (https://nvd.nist.gov/vuln/detail/CVE-2018-18074) with a CVSS score of 9.8 out of 10 (Critical) that could allow your credentials to be transmitted in plaintext.
What's the point of this?
To get you to stop using an insecure, out-of-date dependency.
AntiCompositeNumber
Hi AntiCompositeNumber,
On 30-03-20 19:35, AntiCompositeNumber wrote:
When did Pywikibot become a package manager?
It's not a package manager, it just expects certain dependencies. If you checked your installed packages using `pip check`, you would get a similar message.
The dependency is requests. It works with old versions, it shouldn't complain about newer ones if old ones work.
Even when I run this on Toolforge I get this warning:
What install method (https://wikitech.wikimedia.org/wiki/Help:Toolforge/Pywikibot) did you use? Are you running from the grid or kubernetes?
Just from a tool account on the commandline so that's the grid.
Why am I getting this 8 line warning message?
You have a dependency that is older than what Pywikibot expects. Various security fixes have occurred in Requests between 2.12.4 and 2.20.1, including at least one (https://nvd.nist.gov/vuln/detail/CVE-2018-18074) with a CVSS score of 9.8 out of 10 (Critical) that could allow your credentials to be transmitted in plaintext.
And you think old packages don't get security updates? Simple search returns https://launchpad.net/ubuntu/+source/requests/2.9.1-3ubuntu0.1 for example for Ubuntu. So if anyone is running this, they get needlessly spammed with this message.
What's the point of this?
To get you to stop using an insecure, out-of-date dependency.
That's the job of the package manager, not of Pywikibot.
Maarten
Am 30.03.2020 um 23:15 schrieb Maarten Dammers maarten@mdammers.nl:
Hi AntiCompositeNumber,
On 30-03-20 19:35, AntiCompositeNumber wrote:
When did Pywikibot become a package manager?
It's not a package manager, it just expects certain dependencies. If you checked your installed packages using `pip check`, you would get a similar message.
The dependency is requests. It works with old versions, it shouldn't complain about newer ones if old ones work.
It does not. See https://phabricator.wikimedia.org/T208296 for example.
What's the point of this?
To get you to stop using an insecure, out-of-date dependency.
That's the job of the package manager, not Pywikibot
Good point. Package manager does it if you install Pywikibot as side package. But you are able to use Pywikibot in directory mode and install it from nightly or git or svn repository. In that case dependencies weren’t checked in past. Now package manager is used to validate dependencies for this case.
Best Xqt