[Openstack-stable-maint] Replacing oauth2 by oauthlib
Thierry Carrez
thierry at openstack.org
Tue Mar 25 09:26:13 UTC 2014
Doug Hellmann wrote:
> On Mon, Mar 24, 2014 at 5:55 PM, Alan Pevec <apevec at gmail.com
> <mailto:apevec at gmail.com>> wrote:
>
> 2014-03-24 19:14 GMT+01:00 Doug Hellmann
> <doug.hellmann at dreamhost.com <mailto:doug.hellmann at dreamhost.com>>:
> > I tend to agree that a dependency change like this is "too big."
> OTOH, do we
> > have any security ramifications for leaving the code as-is? Would
> it make
> > sense to try to figure out which library is available and use it,
> rather
> > than requiring one or the other?
>
> That would be stable-only patch so it would be even more risky IMHO.
> I guess the solution here is to document security issues clearly in
> 2013.2.3 release notes as Adam suggested.
FWIW the security issues detected so far are mostly weaknesses in nonce
generators. The main issue is that it's security-sensitive and
abandoned, so distributions want to get rid of it proactively.
In our case I would document in the release notes that oauth2 is
abandoned upstream and that distributions that want to avoid it for
Havana may apply this optional patch at [URL].
This is a typical case where distro-side patches make sense. It's
temporary (icehouse fixed it) and distro-specific (not every
distribution dumped it yet).
--
Thierry Carrez (ttx)
More information about the Openstack-stable-maint
mailing list