Tensorboard: why not bleach-2.0 ?

This is exactly a problem on Arch Linux because we only have Python 3.6 which is not compatible with bleach 1.5.

As to "why"—because bleach-2.0 is a backward-incompatible major-version upgrade, and we didn't bother upgrading because there was no need to. We don't officially support Python 3.6 (only 2.7, 3.4, and 3.5), but I'd be happy to accept a PR that upgraded us to the new version in any case: we can at least make a "best effort" attempt at support. (cc @jart)

why not bleach-2.0

A better question is: why bleach-2.0? The changelist does list quite a few backwards incompatible changes. It also appears to be a rewrite. According to the changelist, there were a ton of bug fixes, but it's not clear to me what those were. I hope they weren't security bugs.

In order to upgrade TensorBoard to the latest Bleach, I would also be required to upgrade the codebase of every single other team at Google that uses Bleach.

@willkg is the expert on the subject. Please help me understand the merits of doing this.

That blog post covers everything I'd probably tell you off the top of my head.

Regarding "I hope they weren't security bugs.", if there were security issues that I knew about and fixed, they would get mentioned explicitly in the changelist. That's not clear in CHANGES--I'll write up an issue for making that clearer. On other projects, I've adopted a more explicit format. I'll fix that for Bleach.

Regarding security assurances and process, we have a security issue reporting process that uses Mozilla's Bugzilla instance (not GitHub issues). @g-k (the other active Bleach maintainer) is on one of the security teams at Mozilla. Part of the Bleach 2.0 dev process involved improving our test suite such that we can make more confident claims about Bleach's security assurances.

In the past, there have been security issues with html5lib that haven't affected Bleach because of the different defaults we use.

Regarding upgrading to Bleach 2.0, my experiences have been pretty straight-forward and it was just changing a few lines. I've heard other projects had upgrade pains because they depend on other libs that depend on different versions of html5lib than what Bleach supports.

There are a handful of regressions between Bleach 1.5 and 2.0. They're marked with the "regression" label in the issue tracker:

https://github.com/mozilla/bleach/issues?q=is%3Aissue+is%3Aopen+label%3Aregression

If you decide to upgrade, I'm happy to help with problems and get PRs landed.

Hope that helps!

Thank you for taking the time to offer transparency and evangelize your work @willkg. https://github.com/mozilla/bleach/issues/280 looks like a particularly surprising regression, but probably not the end of the world. OOC what security claims is Bleach now able to make?

Updating to bleach-2.0 would also help packaging in NixOS.
cc @akamaus