[openstack-dev] [release][requirements][packaging][summit] input needed on summit discussion about global requirements

Sean Dague sean at dague.net
Mon Apr 18 17:49:31 UTC 2016

On 04/18/2016 01:33 PM, Doug Hellmann wrote:
> Excerpts from Matthew Thode's message of 2016-04-18 10:23:37 -0500:
>> To add to this, I'd also note that I as a packager would likely stop
>> packaging Openstack at whatever release this goes into.  While the
>> option to package and ship a virtualenv installed to /usr/local or /opt
>> exists bundling is not something that should be supported given the
>> issues it can have (update cadence and security issues mainly).
> That's a useful data point, but it comes across as a threat and I'm
> having trouble taking it as a constructive comment.
> Can you truly not imagine any other useful way to package OpenStack
> other than individual packages with shared dependencies that would
> be acceptable?

I think it's important to realize that if we go down this route, I'd
expect a lot of community  distros to take that stand point. Only
distros with a product will be able to take on the work.

We often get annoyed with projects in our own space being "special
snowflakes" and doing things differently. OpenStack demanding that every
component has a copy of it's own dependencies is definitely being a
special snowflake to the distros. And for those not building product,
it's probably just going to be too much work. I'd rather be thankful of
Matthew's honesty about that up front instead of not saying anything,
and it getting quietly dropped, and people being mad later.

A lot of distros specifically have policies against this kind of
bundling as well, because of security issues like this (which was so
very bad) - http://www.zlib.net/advisory-2002-03-11.txt

How to mitigate that kind of issue and "fleet deploy" CVEed libraries in
these environments is definitely an open question, especially as it
doesn't fit into the security stream and tools that distros have built
over the last couple of decades.


Sean Dague

More information about the OpenStack-dev mailing list