[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: retrying)

Joshua Harlow harlowja at outlook.com
Wed Sep 17 22:43:34 UTC 2014


On a related and slightly less problematic case is another one like this...

https://github.com/rholder/retrying/issues/11

On Sep 17, 2014, at 8:15 AM, Thomas Goirand <zigo at debian.org> wrote:

> Hi,
> 
> I'm horrified by what I just found. I have just found out this in
> glanceclient:
> 
>  File "<bla>/tests/test_ssl.py", line 19, in <module>
>    from requests.packages.urllib3 import poolmanager
> ImportError: No module named packages.urllib3
> 
> Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
> Not from requests. The fact that requests is embedding its own version
> of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
> removed from requests.
> 
> In Debian, we spend a lot of time to "un-vendorize" stuff, because
> that's a security nightmare. I don't want to have to patch all of
> OpenStack to do it there as well.
> 
> And no, there's no good excuse here...
> 
> Thomas Goirand (zigo)
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list