Hi AntiCompositeNumber,
On 30-03-20 19:35, AntiCompositeNumber wrote:
When did
Pywikibot become a package manager?
It's not a package manager, it just expects
certain dependencies. If
you checked your installed packages using `pip check`, you would get a
similar message.
The dependency is requests. It works with old versions, it
shouldn't
complain about newer ones if old ones work.
Even when I
run this on Toolforge I get this warning:
What install method
(
https://wikitech.wikimedia.org/wiki/Help:Toolforge/Pywikibot) did you
use? Are you running from the grid or kubernetes?
Just from a tool account on the
commandline so that's the grid.
Why am I
getting this 8 line warning message?
You have a dependency that is older than what
Pywikibot expects.
Various security fixes have occurred in Requests between 2.12.4 and
2.20.1, including at least one
(
https://nvd.nist.gov/vuln/detail/CVE-2018-18074) with a CVSS score of
9.8 out of 10 (Critical) that could allow your credentials to be
transmitted in plaintext.
And you think old packages don't get security
updates? Simple search
returns
https://launchpad.net/ubuntu/+source/requests/2.9.1-3ubuntu0.1
for example for Ubuntu. So if anyone is running this, they get
needlessly spammed with this message.
What's the
point of this?
To get you to stop using an insecure, out-of-date dependency.
That's the job of the package manager, not of Pywikibot.
Maarten