[oslo][requirements] Bandit Strategy

Ben Nemec openstack at nemebean.com
Thu May 16 15:21:04 UTC 2019

On 5/16/19 12:41 AM, Tony Breeds wrote:
> On Tue, May 14, 2019 at 11:09:26AM -0400, Zane Bitter wrote:
>> It's breaking the whole world and I'm actually not sure there's a good
>> reason for it. Who cares if sphinx 2.0 doesn't run on Python 2.7 when we set
>> and achieved a goal in Stein to only run docs jobs under Python 3? It's
>> unavoidable for stable/rocky and earlier but it seems like the pain on
>> master is not necessary.
> While we support python2 *anywhere* we need to do this.  The current
> tools (both ours and the broader python ecosystem) need to have these
> markers.
> I apologise that we managed to mess this up we're looking at how we can
> avoid this in the future but we don't really get any kinda of signals
> about $library dropping support for $python_version.  The py2 things is
> more visible than a py3 minor release but they're broadly the same thing

The biggest problem here was the timing with the Bandit issue. Normally 
this would have only blocked patches that needed to change requirements, 
but because most of our repos needed a requirements change to unblock 
them it became a bigger issue than it normally would have been.

That said, it would be nice if we could come up with a less intrusive 
way to handle this in the future. I'd rather not have to keep merging a 
ton of requirements patches when dependencies drop py2 support.

More information about the openstack-discuss mailing list