HTTP/2 302 x-content-type-options: nosniff x-frame-options: sameorigin referrer-policy: no-referrer x-xss-protection: 1 permissions-policy: interest-cohort=() strict-transport-security: max-age=15552000 location: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084018 content-length: 307 content-type: text/html; charset=iso-8859-1 date: Fri, 26 Dec 2025 22:10:59 GMT server: Apache HTTP/2 200 cache-control: public, max-age=300 x-content-type-options: nosniff x-frame-options: sameorigin referrer-policy: no-referrer x-xss-protection: 1 permissions-policy: interest-cohort=() strict-transport-security: max-age=15552000 etag: 1490ff6c307a8e1f53d9bef91fcb8031 vary: Accept-Encoding content-encoding: gzip x-clacks-overhead: GNU Terry Pratchett content-length: 8961 content-type: text/html; charset=utf-8 date: Fri, 26 Dec 2025 22:10:59 GMT server: Apache

Debian Bug report logs - #1084018
zope.security: (build-)depends on deprecated module python3-pkg-resources

Reply or subscribe to this bug.

Display info messages

---

Message #5 received at maintonly@bugs.debian.org (full text, mbox, reply):

Package: src:zope.security
Version: 7.2-1
Severity: normal
Tags: sid trixie
User: debian-python@lists.debian.org
Usertags: pkg-resources-deprecation
[This bug is targeted to the upcoming trixie release]
The package build-depends or depends on python3-pkg-resources, which is
deprecated upstream. Details can be found at
    https://setuptools.pypa.io/en/latest/pkg_resources.html
Use of pkg_resources is deprecated in favor of importlib.resources,
importlib.metadata and their backports (importlib_resources, importlib_metadata).
Some useful APIs are also provided by packaging (e.g. requirements and version
parsing). Users should refrain from new usage of pkg_resources and should work
to port to importlib-based solutions.
Python 3.12 in unstable provides both importlib_resources and
importlib_metadata, so no additional dependencies on those packages are needed.

---

Message #10 received at 1084018@bugs.debian.org (full text, mbox, reply):

While pkg_resources is indeed deprecated upstream, there's nothing that
we can sensibly do about it at the Debian level in lazr.* or zope.*, and
it's not even as clear as you might hope what to do upstream.  They all
do something like this in an __init__.py (with unimportant variations):
  __import__('pkg_resources').declare_namespace(__name__)
As
https://packaging.python.org/en/latest/guides/packaging-namespace-packages/#pkg-resources-style-namespace-packages
says:
  If you are creating a new distribution within an existing namespace
  package that uses this method then it’s recommended to continue using
  this as the different methods are not cross-compatible and it’s not
  advisable to try to migrate an existing package.
I know pkg_resources is deprecated for most other purposes, but even
upstream currently advises here not to try to migrate in this case.
Now, I know there've been some attempts to figure this out:
https://github.com/pypa/sample-namespace-packages thinks a migration may
be possible as long as developers are willing to accept some
limitations.  But it's still a difficult migration and upstream hasn't
really got going on it; for Zope, see
https://github.com/zopefoundation/meta/issues/194.
Please can you reconsider, and not force this for Debian trixie?  I
think we need to keep pkg_resources around for this use case until a
good deal more work has been done on migrating away from it for
namespace packages.
-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

---

Message #15 received at 1084018@bugs.debian.org (full text, mbox, reply):

On 04.10.24 12:22, Colin Watson wrote:
> While pkg_resources is indeed deprecated upstream, there's nothing that
> we can sensibly do about it at the Debian level in lazr.* or zope.*, and
> it's not even as clear as you might hope what to do upstream.  They all
> do something like this in an __init__.py (with unimportant variations):
> 
>    __import__('pkg_resources').declare_namespace(__name__)
> 
> As
> https://packaging.python.org/en/latest/guides/packaging-namespace-packages/#pkg-resources-style-namespace-packages
> says:
> 
>    If you are creating a new distribution within an existing namespace
>    package that uses this method then it’s recommended to continue using
>    this as the different methods are not cross-compatible and it’s not
>    advisable to try to migrate an existing package.
> 
> I know pkg_resources is deprecated for most other purposes, but even
> upstream currently advises here not to try to migrate in this case.
> Now, I know there've been some attempts to figure this out:
> https://github.com/pypa/sample-namespace-packages thinks a migration may
> be possible as long as developers are willing to accept some
> limitations.  But it's still a difficult migration and upstream hasn't
> really got going on it; for Zope, see
> https://github.com/zopefoundation/meta/issues/194.
> 
> Please can you reconsider, and not force this for Debian trixie?  I
> think we need to keep pkg_resources around for this use case until a
> good deal more work has been done on migrating away from it for
> namespace packages.
I don't want to force it.  the separation of this module into it's own 
module is a Debian specific change to avoid runtime dependencies on 
pkg_resources.  So you'll find a lot of hard-coded dependencies that are 
just not used anymore. That's what I want to catch for the trixie release.
Matthias

---

Message #26 received at 1084018-close@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Source: zope.security
Source-Version: 8.2-1
Done: Colin Watson <cjwatson@debian.org>
We believe that the bug you reported is fixed in the latest version of
zope.security, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1084018@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated zope.security package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 01 Nov 2025 18:26:46 +0000
Source: zope.security
Architecture: source
Version: 8.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1084018
Changes:
 zope.security (8.2-1) unstable; urgency=medium
 .
   * New upstream release:
     - Remove run-time dependency on `setuptools` (closes: #1084018).
Checksums-Sha1:
 554f85ceb55b312b9c690e88d3e885cefdd3a468 2633 zope.security_8.2-1.dsc
 8f12154121056d376200ea4209557381c15cc3aa 126647 zope.security_8.2.orig.tar.gz
 1242474f872696d2eaa621a2aab256de5c3a5a5c 5276 zope.security_8.2-1.debian.tar.xz
Checksums-Sha256:
 cfa811e1749ebc86501c28eebed5bafddcba3f1edca535446f7ae11c3d3f5f91 2633 zope.security_8.2-1.dsc
 ff340c2337f1340f83949596f26c304349e8dd66a5dee353fba4ee369c349980 126647 zope.security_8.2.orig.tar.gz
 ac7aa585fb921846c1077b90924599d9e90f43f702931d2ef1b8da815edc8d9f 5276 zope.security_8.2-1.debian.tar.xz
Files:
 4a6a8f46c43b2147bc46eb0244f313de 2633 zope optional zope.security_8.2-1.dsc
 c3fde561a819d7e0009fb5752525afb0 126647 zope optional zope.security_8.2.orig.tar.gz
 94642c38334926639e443444c3b65570 5276 zope optional zope.security_8.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmkGUQIACgkQOTWH2X2G
UAs7Jg//YbM0mH9n8xw4XCNKXms5XSUiNs/O3JfkqWG6EjGyR+3vtd0yGfoP9/Sk
pcFJcMcF0YnSqTb+inL5HUblUXt4791QDvFAB1Eur4cqNjqp2H2ABu/TfKWLiN64
OQseEi0iV/YNTV4BkWA9GDczINwdzjM39cFmuayqs9C78ZqEC+R2E7CPe+rwmjyy
CpHHx1e9YRg/VZznAS6VOLGOP1otpxXzPIt8ulb/QzfRFiqdVh94bqj2J7NWMOBh
kAlLHG7pvnpBuuo/1AheRJWTGiTOj0Bqp3Fh2f2B2hAWXbTr7zehb2BegZEjt7Nc
tR07SWDBjlyWXPXsBOXl5A1zKeWmz9GSvAqk6JFIPcbaU19QznFJ5Ai0c0pBpGGD
oiNy0ZcQWH0bBmJn8hAHh/DBBNf7D2eS5cg+qrQeeuahIWjrxtq9vOHuJRDs6s3T
FDSaF4OlyBltE65lw9iH0nMB0kyTVfX7BzPR3pmLxjzHW0DqYvKuQ6MJS71AKFdk
NRJeLfs1SYEqGOJTxupRSQgcXKmEcHoWWlIU01y5l6YJwPZKxhr4aXwvZX6a8kfo
bOeik7HQ/2MwIMnx8GXj6gAFwlFwq6dKDBnfBJ0fcfY3V4JPhVy8jyhEJGl1Ih1F
nEaBRVBBWKx/G3Y4eFzPn1xK9n2gjlf1/4VCgQFoDP4Kep5uKYM=
=quxh
-----END PGP SIGNATURE-----

[Message part 2 (application/pgp-signature, inline)]

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Dec 26 22:11:01 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.