[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Donald Stufft donald at stufft.io
Fri Sep 19 18:39:44 UTC 2014


> On Sep 19, 2014, at 2:26 PM, Chmouel Boudjnah <chmouel at enovance.com> wrote:
> 
> 
> On Fri, Sep 19, 2014 at 6:58 PM, Donald Stufft <donald at stufft.io <mailto:donald at stufft.io>> wrote:
> So you can remove all that code and just let requests/urllib3 handle it on 3.2+, 2.7.9+ and for anything less than that either use conditional dependencies to have glance client depend on pyOpenSSL, ndg-httpsclient, and pyasn1 on Python 2.x, or let them be optional and if people want to disable TLS compression in those versions they can install those versions themselves.
> 
> 
> we have that issue as well for swiftclient, see the great write-up from stuart here :
> 
> https://answers.launchpad.net/swift/+question/196920 <https://answers.launchpad.net/swift/+question/196920>
> 
> just removing it this and let hope that users uses bleeding edge python (which they don't) is not going to work for us. and the pyOpenSSL way is very unfriendly to the end-user as well.
> 
> 

Unfortunately those are the only options besides using a different TLS implementation besides pyOpenSSL all together.

Python 2.x standard library did not include the requisite nobs for configuring this, it wasn’t until Python 3.2+ that the ssl module in the standard library gained the ability to have these kinds of things applied to it. Python 2.7.9 contains a back port of the 3.x ssl module to Python 2.7, so that’s the first time in the 2.x line that the standard library has the knobs to change these things.

The alternative to 3.2+ or 2.7.9+ is using an alternative TLS implementation, of which pyOpenSSL is by far the most popular (and it’s what glanceclient is using right now).

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140919/154c1941/attachment.html>


More information about the OpenStack-dev mailing list