[openstack-dev] Requests + urllib3 + distro packages

Cory Benfield cory at lukasa.co.uk
Thu Oct 15 10:08:49 UTC 2015

> On 14 Oct 2015, at 23:23, Thomas Goirand <zigo at debian.org> wrote:
> I do understand that you don't like being called this way, though this
> is still the reality. Vendorizing still inflicting some major pain to a
> lot of your users:
> - This thread one of the demonstration of it.
> - You having to contact downstream distros is another.
> - The unbundling work inflicted to downstream package maintainers is a
> 3rd another.
> So like it or not, it is a fact that it is difficult to work with
> requests because of the way it is released upstream.

As I said earlier, I’m not getting drawn into a debate about vendorizing in this forum. The last one of these was sufficiently toxic that I’m simply unwilling to have the discussion here. If you really want to talk about this again, I’m happy to take it out of this mailing list to somewhere where fewer people are going to make the discussion personal.

Note however that point 2 is not accurate. The main reason we have relationships with our downstream repackagers is for security release purposes. Per our security policy, we have exchanged GPG keys with them, and will make sure we contact them ahead of time so we can perform a synchronised release of security updates. In this instance we chose to use our relationship with our repackagers to get this change made, but it is not the main reason we communicate with them. (Also, they’re nice people!)

>> has had a policy in place for six months
>> that ensures that you can have the same result with pip and
>> system packages. For six months we have only updated to versions
>> of urllib3 that are actually released, and therefore that are
>> definitely available from pip (and potentially available from
>> the distribution).
>> The reason this has not been working is because the distributions,
>> when they unbundle us, have not been populating their setup.py to
>> reflect the dependency: only their own metadata. We’ve been in
>> contact with them, and this change is being made in the
>> distributions we have relationships with.
> Though you could have avoid all of this pain if you were not bundling.
> Isn't all of this make you re-think your vendorizing policy? Or still
> not? I'm asking because I still didn't read your answer about the
> important question: since you aren't using specially crafted versions of
> urllib3 anymore, and now only using official releases, what's the reason
> that keeps you vendorizing? Not trying to convince you here, just trying
> to understand.

Again, I’m not being drawn into this discussion here.

Let me make one point, though. There are three people involved in a decision-making role on the requests project, and this is an important issue to every member of the team. This policy has been part of the requests project for a very long time, and we aren’t going to change it in a short space of time: I’m certainly not going to unilaterally do so. All I can promise you is that we continue to talk about this internally, and if we *unanimously* feel comfortable changing our policy we will do so. Until then, I’m happy to do my best to accommodate as many people as possible (which in this case I believe we have done).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151015/378e768a/attachment.pgp>

More information about the OpenStack-dev mailing list