[openstack-dev] Please do NOT use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Thomas Goirand zigo at debian.org
Wed Sep 17 15:15:32 UTC 2014

Previous message: [openstack-dev] [nova] are we going to remove the novaclient v3 shell or what?
Next message: [openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I'm horrified by what I just found. I have just found out this in
glanceclient:

  File "<bla>/tests/test_ssl.py", line 19, in <module>
    from requests.packages.urllib3 import poolmanager
ImportError: No module named packages.urllib3

Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
Not from requests. The fact that requests is embedding its own version
of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
removed from requests.

In Debian, we spend a lot of time to "un-vendorize" stuff, because
that's a security nightmare. I don't want to have to patch all of
OpenStack to do it there as well.

And no, there's no good excuse here...

Thomas Goirand (zigo)

Previous message: [openstack-dev] [nova] are we going to remove the novaclient v3 shell or what?
Next message: [openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the OpenStack-dev mailing list