[Openstack-stable-maint] Replacing oauth2 by oauthlib

Alan Pevec apevec at gmail.com
Mon Mar 24 21:55:37 UTC 2014


2014-03-24 19:14 GMT+01:00 Doug Hellmann <doug.hellmann at dreamhost.com>:
> I tend to agree that a dependency change like this is "too big." OTOH, do we
> have any security ramifications for leaving the code as-is? Would it make
> sense to try to figure out which library is available and use it, rather
> than requiring one or the other?

That would be stable-only patch so it would be even more risky IMHO.
I guess the solution here is to document security issues clearly in
2013.2.3 release notes as Adam suggested.

Cheers,
Alan



More information about the Openstack-stable-maint mailing list