Open Stack

Doug Hellmann wrote:
> On Mon, Mar 24, 2014 at 5:55 PM, Alan Pevec <apevec at gmail.com
> <mailto:apevec at gmail.com>> wrote:
> 
>     2014-03-24 19:14 GMT+01:00 Doug Hellmann
>     <doug.hellmann at dreamhost.com <mailto:doug.hellmann at dreamhost.com>>:
>     > I tend to agree that a dependency change like this is "too big."
>     OTOH, do we
>     > have any security ramifications for leaving the code as-is? Would
>     it make
>     > sense to try to figure out which library is available and use it,
>     rather
>     > than requiring one or the other?
> 
>     That would be stable-only patch so it would be even more risky IMHO.
>     I guess the solution here is to document security issues clearly in
>     2013.2.3 release notes as Adam suggested. 

FWIW the security issues detected so far are mostly weaknesses in nonce
generators. The main issue is that it's security-sensitive and
abandoned, so distributions want to get rid of it proactively.

In our case I would document in the release notes that oauth2 is
abandoned upstream and that distributions that want to avoid it for
Havana may apply this optional patch at [URL].

This is a typical case where distro-side patches make sense. It's
temporary (icehouse fixed it) and distro-specific (not every
distribution dumped it yet).

-- 
Thierry Carrez (ttx)