<div dir="ltr"><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">I don't know of any examples of introducing *new* deps in stable branch updates, but there have been several occasions where version requirements were bumped higher to unblock gate issues. IMHO that can be worse for stable distros (as opposed to requiring a new dependency that most can provide)</div>
<div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">That said, I'm heavily leaning toward -1 on this as well. This isn't a new bug. Concerns about the use of the use python-oauth2 in Keystone on LP go a while now and a decision was made to ship optional oauth support in Havana's using python-oauth2. I don't think we can undo that now. A better solution would be to add a big ugly warning to documentation referencing relevant CVEs and mentioning the issue is fixed in Icehouse.</div>
<div style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></div><div style="font-family:arial,sans-serif;font-size:12.727272033691406px">I also don't think its unreasonable for distros to carry their own cherry-picked patch from Icehouse to address the issue.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 24, 2014 at 5:54 AM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">See the discussion @ <a href="https://review.openstack.org/#/c/70750/" target="_blank">https://review.openstack.org/#/c/70750/</a><br>
<br>
I think this is not an acceptable change for the stable branch. We<br>
promise a "safe source of fixes", which means seamless upgrades that do<br>
not require extra actions for followers of the stable branch. IMHO<br>
replacing a library dependency by another library requires extra actions<br>
to be taken on the deployer side (making sure you have the new<br>
dependency packaged / present), so it's out of line.<br>
<br>
Now I hear the pressure from the distributions which have already ripped<br>
out oauth2 -- the change is indeed harmless and desirable for them. But<br>
I still think we'd break our promise for a safe source of fixes to every<br>
user of the stablebranch if we accepted that patch.<br>
<br>
In that case it seems fair for distributions which want to replace<br>
oauth2 with a safer alternative to carry a specific patch.<br>
<br>
Thoughts ? Do we have past examples of introducing new deps in stable<br>
branch updates ?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Thierry Carrez (ttx)<br>
<br>
_______________________________________________<br>
Openstack-stable-maint mailing list<br>
<a href="mailto:Openstack-stable-maint@lists.openstack.org">Openstack-stable-maint@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint</a><br>
</font></span></blockquote></div><br></div>