📦 We released #urllib3 v2.1.0 today! This release removes many of the features that have been deprecated for removal in v2. Security fixes will continue to be available in v1.26.x thanks to @tidelift
I don't have sympathy for #OpenBSD or #LibreSSL. However, I can understand that they had good reasons to fork OpenSSL, and that switching back today would be hard. I can understand projects refusing to officially declare support and rejecting workarounds.
OTOH, pushing LibreSSL hate to the point of blocking Python implementations that don't link to OpenSSL is just horrible. Users get in the crossfire, again.
It turns out that #urllib3 added a totally bonkers OpenSSL version check, and they broke a lot of systems as a result. Ofc the immediate result is dozens of packages pinning urllib3 < 2, and if they continue their negligence it's going to go into hundreds.
Ofc, it is a mess that distro maintainers will have to clean up eventually. I mean, removing the pins when they do not apply to us.
One thing that the #urllib3 team does that I wonder if other #opensource projects do is ensure someone is around to help in case of disasters. Very similar to on-call but ad-hoc and during fragile moments like releases of new default behaviors/major versions. Do any other projects do this?
#urllib3 v2.0.1 has been released with two small fixes:
– Fixed socket leak after failed cert hostname or fingerprint verification (thanks @graingert !)
– Fixed an issue when .read(0) was called on an empty response buffer (thanks @quentinpradet !)