[openstack-dev] Please do NOT use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Mike Bayer mbayer at redhat.com
Wed Sep 17 19:31:24 UTC 2014

Previous message: [openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Next message: [openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sep 17, 2014, at 2:46 PM, Clint Byrum <clint at fewbar.com> wrote:

> Excerpts from Davanum Srinivas's message of 2014-09-17 10:15:29 -0700:
>> I was trying request-ifying oslo.vmware and ran into this as well:
>> https://review.openstack.org/#/c/121956/
>> 
>> And we don't seem to have urllib3 in global-requirements either.
>> Should we do that first?
> 
> Honestly, after reading this:
> 
> https://github.com/kennethreitz/requests/pull/1812
> 
> I think we might want to consider requests a poor option. Its author
> clearly doesn't understand the role a _library_ plays in software
> development and considers requests an application, not a library.
> 
> For instance, why is requests exposing internal implementation details
> at all?  It should be wrapping any exceptions or objects to avoid
> forcing users to make this choice at all.

that link is horrifying.   I’m really surprised Requests does this, and that nobody has complained very loudly about it.   It’s wrong on every level not the least of which is the huge security implications.

Previous message: [openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Next message: [openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the OpenStack-dev mailing list