[Openstack-stable-maint] Replacing oauth2 by oauthlib
Alan Pevec
apevec at gmail.com
Mon Mar 24 21:39:05 UTC 2014
2014-03-24 22:16 GMT+01:00 Adam Gandelman <adamg at ubuntu.com>:
> I don't know of any examples of introducing *new* deps in stable branch updates, but there have
> been several occasions where version requirements were bumped higher to unblock gate
> issues. IMHO that can be worse for stable distros (as opposed to requiring a new dependency
> that most can provide)
We recently had a version bump for neutronclient and documented it in
release notes https://wiki.openstack.org/wiki/ReleaseNotes/2013.2.2#Neutron
But OpenStack clients don't have official stable branch, so in theory
should be safe to update.
> That said, I'm heavily leaning toward -1 on this as well. This isn't a new
> bug. Concerns about the use of the use python-oauth2 in Keystone on LP go a
> while now and a decision was made to ship optional oauth support in Havana's
> using python-oauth2. I don't think we can undo that now. A better solution
> would be to add a big ugly warning to documentation referencing relevant
> CVEs and mentioning the issue is fixed in Icehouse.
ok, let's do that - what would be the right place, under
https://wiki.openstack.org/wiki/ReleaseNotes/2013.2.3#Known_Issues_and_Limitations
or somewhere in official docs?
> I also don't think its unreasonable for distros to carry their own
> cherry-picked patch from Icehouse to address the issue.
The other option would be to drop the optional code due to security concerns.
Cheers,
Alan
More information about the Openstack-stable-maint
mailing list