Open Stack

On Mon, Mar 24, 2014 at 8:54 AM, Thierry Carrez <thierry at openstack.org>wrote:

> See the discussion @ https://review.openstack.org/#/c/70750/
>
> I think this is not an acceptable change for the stable branch. We
> promise a "safe source of fixes", which means seamless upgrades that do
> not require extra actions for followers of the stable branch. IMHO
> replacing a library dependency by another library requires extra actions
> to be taken on the deployer side (making sure you have the new
> dependency packaged / present), so it's out of line.
>
> Now I hear the pressure from the distributions which have already ripped
> out oauth2 -- the change is indeed harmless and desirable for them. But
> I still think we'd break our promise for a safe source of fixes to every
> user of the stablebranch if we accepted that patch.
>
> In that case it seems fair for distributions which want to replace
> oauth2 with a safer alternative to carry a specific patch.
>
> Thoughts ? Do we have past examples of introducing new deps in stable
> branch updates ?
>
> --
> Thierry Carrez (ttx)
>
> _______________________________________________
> Openstack-stable-maint mailing list
> Openstack-stable-maint at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint
>

I tend to agree that a dependency change like this is "too big." OTOH, do
we have any security ramifications for leaving the code as-is? Would it
make sense to try to figure out which library is available and use it,
rather than requiring one or the other?

Doug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-stable-maint/attachments/20140324/48bd10c1/attachment.html>