[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Davanum Srinivas davanum at gmail.com
Wed Sep 17 17:15:29 UTC 2014 

I was trying request-ifying oslo.vmware and ran into this as well:
https://review.openstack.org/#/c/121956/

And we don't seem to have urllib3 in global-requirements either.
Should we do that first?

-- dims

On Wed, Sep 17, 2014 at 1:05 PM, Clint Byrum <clint at fewbar.com> wrote:
> This is where Debian's "one urllib3 to rule them all" model fails in
> a modern fast paced world. Debian is arguably doing the right thing by
> pushing everyone to use one API, and one library, so that when that one
> library is found to be vulnerable to security problems, one update covers
> everyone. Also, this is an HTTP/HTTPS library.. so nobody can make the
> argument that security isn't paramount in this context.
>
> But we all know that the "app store" model has started to bleed down into
> backend applications, and now you just ship the virtualenv or docker
> container that has your app as you tested it, and if that means you're
> 20 versions behind on urllib3, that's your problem, not the OS vendor's.
>
> I think it is _completely_ irresponsible of requests, a library, to
> embed another library. But I don't know if we can avoid making use of
> it if we are going to be exposed to objects that are attached to it.
>
> Anyway, Thomas, if you're going to send the mob with pitchforks and
> torches somewhere, I'd say send them to wherever requests makes its
> home. OpenStack is just buying their mutated product.
>
> Excerpts from Donald Stufft's message of 2014-09-17 08:22:48 -0700:
>> Looking at the code on my phone it looks completely correct to use the vendored copy here and it wouldn't actually work otherwise.
>>
>> > On Sep 17, 2014, at 11:17 AM, Donald Stufft <donald at stufft.io> wrote:
>> >
>> > I don't know the specific situation but it's appropriate to do this if you're using requests and wish to interact with the urllib3 that requests is using.
>> >
>> >> On Sep 17, 2014, at 11:15 AM, Thomas Goirand <zigo at debian.org> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I'm horrified by what I just found. I have just found out this in
>> >> glanceclient:
>> >>
>> >> File "<bla>/tests/test_ssl.py", line 19, in <module>
>> >>   from requests.packages.urllib3 import poolmanager
>> >> ImportError: No module named packages.urllib3
>> >>
>> >> Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
>> >> Not from requests. The fact that requests is embedding its own version
>> >> of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
>> >> removed from requests.
>> >>
>> >> In Debian, we spend a lot of time to "un-vendorize" stuff, because
>> >> that's a security nightmare. I don't want to have to patch all of
>> >> OpenStack to do it there as well.
>> >>
>> >> And no, there's no good excuse here...
>> >>
>> >> Thomas Goirand (zigo)
>> >>
>> >> _______________________________________________
>> >> OpenStack-dev mailing list
>> >> OpenStack-dev at lists.openstack.org
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



-- 
Davanum Srinivas :: https://twitter.com/dims

More information about the OpenStack-dev mailing list