[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Donald Stufft donald at stufft.io
Fri Sep 19 15:59:00 UTC 2014


> On Sep 19, 2014, at 11:54 AM, Brant Knudson <blk at acm.org> wrote:
> 
> 
> I don't think anyone would be complaining if glanceclient didn't have the need to reach into and monkeypatch requests's connection pool manager[1]. Is there a way to tell requests to build the https connections differently without monkeypatching urllib3.poolmanager?
> 
> glanceclient's monkeypatching of the global variable here is dangerous since it will mess with the application and every other library if the application or another library uses glanceclient.
> 
> [1] http://git.openstack.org/cgit/openstack/python-glanceclient/tree/glanceclient/common/https.py#n75 <http://git.openstack.org/cgit/openstack/python-glanceclient/tree/glanceclient/common/https.py#n75>
> 

Why does it need to use it’s own VerifiedHTTPSConnection class? Ironically
reimplementing that is probably more dangerous for security than requests
bundling urllib3 ;)

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140919/d20a78b3/attachment.html>


More information about the OpenStack-dev mailing list