[Buildroot] [PATCH 1/1] support/scripts/cve: replace distutils with looseversion

Arnout Vandecappelle arnout at rnout.be
Thu Sep 11 19:13:43 UTC 2025 

  Hi Anton,

On 11/09/2025 14:12, Anton Bengtsson via buildroot wrote:
> The package 'distutils' was removed in Python 3.12 (https://docs.python.org/3/library/distutils.html)
> and looseversion appears to be a good drop-in replacement for distutils.version.LooseVersion,
> see https://pypi.org/project/looseversion/.

  The problem is that looseversion is not in the standard lib. We try as much as 
possible to depend only on the standard lib. Obviously that is not possible any 
more since distutils is _also_ no longer in the standard lib.

  We have a few scripts that have some external dependencies. Mostly in the 
tests. Otherwise it's (I think) only check-package that depends on flake8 and 
python-magic.

  So, probably OK to move to looseversion, but then we need two additional changes:

- support/docker/Dockerfile must be updated to include it;
- cve.py should get a header like check-package has so that dependencies can be 
handled by uv. Cfr. commit message of commit 
6ffcdb52e80b63e68c890aed52ff7f4d00e079b8.


  Regards,
  Arnout

> 
> Signed-off-by: Anton Bengtsson <anton.bengtsson at plejd.com>
> ---
>   support/scripts/cve.py | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/support/scripts/cve.py b/support/scripts/cve.py
> index ba41762fa0..63372c3273 100755
> --- a/support/scripts/cve.py
> +++ b/support/scripts/cve.py
> @@ -19,11 +19,11 @@
>   
>   import datetime
>   import os
> -import distutils.version
>   import json
>   import subprocess
>   import sys
>   import operator
> +from looseversion import LooseVersion
>   
>   sys.path.append('utils/')
>   
> @@ -190,7 +190,7 @@ class CVE:
>           by this CVE.
>           """
>   
> -        pkg_version = distutils.version.LooseVersion(version)
> +        pkg_version = LooseVersion(version)
>           if not hasattr(pkg_version, "version"):
>               print("Cannot parse package '%s' version '%s'" % (name, version))
>               pkg_version = None
> @@ -202,7 +202,7 @@ class CVE:
>           # version, as they might be different due to
>           # <pkg>_CPE_ID_VERSION
>           else:
> -            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
> +            pkg_version = LooseVersion(cpe_version(cpeid))
>   
>           for cpe in self.each_cpe():
>               if not cpe_matches(cpe['id'], cpeid):
> @@ -214,7 +214,7 @@ class CVE:
>   
>               if cpe['v_start']:
>                   try:
> -                    cve_affected_version = distutils.version.LooseVersion(cpe['v_start'])
> +                    cve_affected_version = LooseVersion(cpe['v_start'])
>                       inrange = ops.get(cpe['op_start'])(pkg_version, cve_affected_version)
>                   except TypeError:
>                       return self.CVE_UNKNOWN
> @@ -226,7 +226,7 @@ class CVE:
>   
>               if cpe['v_end']:
>                   try:
> -                    cve_affected_version = distutils.version.LooseVersion(cpe['v_end'])
> +                    cve_affected_version = LooseVersion(cpe['v_end'])
>                       inrange = ops.get(cpe['op_end'])(pkg_version, cve_affected_version)
>                   except TypeError:
>                       return self.CVE_UNKNOWN

More information about the buildroot mailing list