[Openstack-stable-maint] Replacing oauth2 by oauthlib

Alan Pevec apevec at gmail.com
Mon Mar 24 21:39:05 UTC 2014


2014-03-24 22:16 GMT+01:00 Adam Gandelman <adamg at ubuntu.com>:
> I don't know of any examples of introducing *new* deps in stable branch updates, but there have
> been several occasions where version requirements were bumped higher to unblock gate
> issues. IMHO that can be worse for stable distros (as opposed to requiring a new dependency
> that most can provide)

We recently had a version bump for neutronclient and documented it in
release notes https://wiki.openstack.org/wiki/ReleaseNotes/2013.2.2#Neutron
But OpenStack clients don't have official stable branch, so in theory
should be safe to update.

> That said, I'm heavily leaning toward -1 on this as well.  This isn't a new
> bug.  Concerns about the use of the use python-oauth2 in Keystone on LP go a
> while now and a decision was made to ship optional oauth support in Havana's
> using python-oauth2.  I don't think we can undo that now.  A better solution
> would be to add a big ugly warning to documentation referencing relevant
> CVEs and mentioning the issue is fixed in Icehouse.

ok, let's do that - what would be the right place, under
https://wiki.openstack.org/wiki/ReleaseNotes/2013.2.3#Known_Issues_and_Limitations
or somewhere in official docs?

> I also don't think its unreasonable for distros to carry their own
> cherry-picked patch from Icehouse to address the issue.

The other option would be to drop the optional code due to security concerns.

Cheers,
Alan



More information about the Openstack-stable-maint mailing list