[openstack-dev] Requests + urllib3 + distro packages

Cory Benfield cory at lukasa.co.uk
Fri Oct 9 07:21:41 UTC 2015

Robert Collins <robertc at ...> writes:
> The problem that occurs is the result of a few interacting things:
>  - requests has very very specific versions of urllib3 it works with.
> So specific they aren't always released yet.

This should no longer be true. Our downstream redistributors pointed out to us
that this  was making their lives harder than they needed to be, so it's now
our policy to only  update to actual release versions of urllib3.
> The second is trivially insufficient - anytime requests vendored
> urllib3 is not precisely identical to a released urllib3, it becomes
> impossible to satisfy that via dependency version pinning - the only
> way to satisfy it is with the urllib3 in the distro that has whatever
> change was needed included.

Per my note above, if we restrict ourselves to relatively recent versions of
requests  (2.7.3+ IIRC) we should be fine. Of course, that doesn't mean we can
actually do that...

> The fourth approach meets the stone wall of 'but security' and 'no
> redundancy permitted' - I don't have the energy to try and get through
> the near-religious mindset I've encountered there before, though hey -
> if Fedora and Debian and Ubuntu folk are all interested in figuring
> out a sustainable way forward, that would be great: please don't feel
> cut out, I'm just not expecting anything.

It should be assumed that approach number four is a non-starter. This list has
had that  conversation before, which was a stunningly unpleasant experience for
me and not one I  want to repeat. Additionally, getting *all* of
Fedora/Debian/Ubuntu on board with not unbundling requests is about as likely
as hell freezing over.


More information about the OpenStack-dev mailing list