[oslo] Bandit Strategy

Ben Nemec openstack at nemebean.com
Mon May 13 17:40:19 UTC 2019

On 5/13/19 12:23 PM, Ben Nemec wrote:
> Nefarious cap bandits are running amok in the OpenStack community! Won't 
> someone take a stand against these villainous headwear thieves?!
> Oh, sorry, just pasted the elevator pitch for my new novel. ;-)
> Actually, this email is to summarize the plan we came up with in the 
> Oslo meeting this morning. Since we have a bunch of projects affected by 
> the Bandit breakage I wanted to make sure we had a common fix so we 
> don't have a bunch of slightly different approaches in each project. The 
> plan we agreed on in the meeting was to push a two patch series to each 
> repo - one to cap bandit <1.6.0 and one to uncap it with a !=1.6.0 
> exclusion. The first should be merged immediately to unblock ci, and the 
> latter can be rechecked once bandit 1.6.1 releases to verify that it 
> fixes the problem for us.

Oh, and since sphinx is also breaking the Oslo world, I guess we're 
going to have to include the sphinx requirements fix in these first 
patches: https://review.opendev.org/#/c/658857/

That's passing the requirements job so it should unblock us.

/me is off to squash some patches

> We chose this approach instead of just tweaking the exclusion in tox.ini 
> because it's not clear that the current behavior will continue once 
> Bandit fixes the bug. Assuming they restore the old behavior, this 
> should require the least churn in our repos and means we're still 
> compatible with older versions that people may already have installed.
> I started pushing patches under 
> https://review.opendev.org/#/q/topic:cap-bandit (which prompted the 
> digression to start this email ;-) to implement this plan. This is 
> mostly intended to be informational, but if you have any concerns with 
> the plan above please do let us know immediately.
> Thanks.
> -Ben

More information about the openstack-discuss mailing list