888271 – [TRACKER] dev-python/future removal tracker

Bug 888271 - [TRACKER] dev-python/future removal tracker

Summary: [TRACKER] dev-python/future removal tracker

Status:	CONFIRMED

Alias:	None

Product:	Quality Assurance
Classification:	Unclassified
Component:	Trackers (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Python Gentoo Team

URL:
Whiteboard:
Keywords:

Depends on:	888273 888275 888281 888291 888293 888297 888277 888279 888283 888285 888287 888289 888295 888299 888301 888303 888305
Blocks:
	Show dependency tree

Reported:	2022-12-25 09:30 UTC by Michał Górny
Modified:	2023-04-30 14:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2022-12-25 09:30:12 UTC

# Unmaintained with last release in 2019.  We already patched it to work
# with Python 3.9+.  The upstream code is also vulnerable
# to CVE-2022-40899.  Above all, this library is completely redundant
# to packages not supporting Python 2 anymore.

Comment 1 BobbyK 2023-04-30 14:26:04 UTC

Does 0.18.3 released on Jan 12 2023 (at least that's what it says on https://pypi.org/project/future/) have the same limitations and vulnerabilities?

Comment 2 Michał Górny archtester

2023-04-30 14:40:47 UTC

(In reply to BobbyK from comment #1)
> Does 0.18.3 released on Jan 12 2023 (at least that's what it says on
> https://pypi.org/project/future/) have the same limitations and
> vulnerabilities?

IIRC they've fixed *something* but definitely not all the things we were already patching.