[all][requirements][stable] requests version bump on stable brances {pike|queens} for CVE-2018-18074

Jeremy Stanley fungi at yuggoth.org
Wed May 8 14:27:58 UTC 2019


On 2019-05-07 22:50:21 +0200 (+0200), Dirk Müller wrote:
> Am Di., 7. Mai 2019 um 22:30 Uhr schrieb Matthew Thode <mthode at mthode.org>:
> 
> > Pike   - 2.18.2 -> 2.20.1 - https://review.opendev.org/640727
> > Queens - 2.18.4 -> 2.20.1 - https://review.opendev.org/640710
> 
> Specifically it looks like we're already at the next issue, as tracked here:
> 
> https://github.com/kennethreitz/requests/issues/5065
> 
> Any concerns from anyone on these newer urllib3 updates? I guess we'll
> do them a bit later though.

It's still unclear to me why we're doing this at all. Our stable
constraints lists are supposed to be a snapshot in time from when we
released, modulo stable point release updates of the libraries we're
maintaining. Agreeing to bump random dependencies on stable branches
because of security vulnerabilities in them is a slippery slope
toward our users expecting the project to be on top of vulnerability
announcements for every one of the ~600 packages in our constraints
list. Deployment projects already should not depend on our
requirements team tracking security vulnerabilities, so need to have
a mechanism to override constraints entries anyway if they're making
such guarantees to their users (and I would also caution against
doing that too).

Distributions are far better equipped than our project to handle
such tracking, as they generally get advance notice of
vulnerabilities and selectively backport fixes for them. Trying to
accomplish the same with a mix of old and new dependency versions in
our increasingly aging stable and extended maintenance branches
seems like a disaster waiting to happen.</soapbox>
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190508/781b7aca/attachment.sig>


More information about the openstack-discuss mailing list