[oslo] Bandit Strategy

Ben Nemec openstack at nemebean.com
Mon May 13 17:23:33 UTC 2019

Nefarious cap bandits are running amok in the OpenStack community! Won't 
someone take a stand against these villainous headwear thieves?!

Oh, sorry, just pasted the elevator pitch for my new novel. ;-)

Actually, this email is to summarize the plan we came up with in the 
Oslo meeting this morning. Since we have a bunch of projects affected by 
the Bandit breakage I wanted to make sure we had a common fix so we 
don't have a bunch of slightly different approaches in each project. The 
plan we agreed on in the meeting was to push a two patch series to each 
repo - one to cap bandit <1.6.0 and one to uncap it with a !=1.6.0 
exclusion. The first should be merged immediately to unblock ci, and the 
latter can be rechecked once bandit 1.6.1 releases to verify that it 
fixes the problem for us.

We chose this approach instead of just tweaking the exclusion in tox.ini 
because it's not clear that the current behavior will continue once 
Bandit fixes the bug. Assuming they restore the old behavior, this 
should require the least churn in our repos and means we're still 
compatible with older versions that people may already have installed.

I started pushing patches under 
https://review.opendev.org/#/q/topic:cap-bandit (which prompted the 
digression to start this email ;-) to implement this plan. This is 
mostly intended to be informational, but if you have any concerns with 
the plan above please do let us know immediately.



More information about the openstack-discuss mailing list