[all][requirements][stable] requests version bump on stable brances {pike|queens} for CVE-2018-18074

Dirk Müller dirk at dmllr.de
Wed May 22 23:09:58 UTC 2019

Hi Jeremy,

> Doing conformance testing on those distros with their packaged
> versions of our external dependencies would much more closely
> approximate what I think you want

I think that would also work. Would the community be interested
in solving conformance incompatibilities when purely vendored
versions are used? I somehow have doubts. Would we track
the vendored version/releases in a constraints file to ensure
gating issues are not creeping in?

All the existing tooling is around tracking lower and upper constraints
as defined by pip and our opendev defined wheel mirrors.

Unless we have a tool that translate pip install commands
into the respective distribution equivalent, such a vendored-test
also adds significant drag for projects : maintaining two different
ways to install things and for X number of vendors to cross-check
 and help debug  solve integration issues. Plus the amount of
extra CI load this might cause. Not a fun task.

Considering that I would prefer to volunteer maintaining a pypi/pip wheel
fork of the  ~5 dependencies with security vulnerabilities that we care
about and pull those in instead of exposing the full scope of X vendors
downstream specific patching issues to us as a community.


More information about the openstack-discuss mailing list