[oslo][requirements] Bandit Strategy

Matthew Thode mthode at mthode.org
Thu May 16 15:26:51 UTC 2019

On 19-05-16 10:21:04, Ben Nemec wrote:
> On 5/16/19 12:41 AM, Tony Breeds wrote:
> > On Tue, May 14, 2019 at 11:09:26AM -0400, Zane Bitter wrote:
> > 
> > > It's breaking the whole world and I'm actually not sure there's a good
> > > reason for it. Who cares if sphinx 2.0 doesn't run on Python 2.7 when we set
> > > and achieved a goal in Stein to only run docs jobs under Python 3? It's
> > > unavoidable for stable/rocky and earlier but it seems like the pain on
> > > master is not necessary.
> > 
> > While we support python2 *anywhere* we need to do this.  The current
> > tools (both ours and the broader python ecosystem) need to have these
> > markers.
> > 
> > I apologise that we managed to mess this up we're looking at how we can
> > avoid this in the future but we don't really get any kinda of signals
> > about $library dropping support for $python_version.  The py2 things is
> > more visible than a py3 minor release but they're broadly the same thing
> The biggest problem here was the timing with the Bandit issue. Normally this
> would have only blocked patches that needed to change requirements, but
> because most of our repos needed a requirements change to unblock them it
> became a bigger issue than it normally would have been.
> That said, it would be nice if we could come up with a less intrusive way to
> handle this in the future. I'd rather not have to keep merging a ton of
> requirements patches when dependencies drop py2 support.

We are trying to determine if using constraints alone is suficient.  pip
not having a depsolver strikes again.

Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190516/4adbda6a/attachment.sig>

More information about the openstack-discuss mailing list