On 2019-05-07 22:50:21 +0200 (+0200), Dirk Müller wrote:
Am Di., 7. Mai 2019 um 22:30 Uhr schrieb Matthew Thode <mthode@mthode.org>:
Pike - 2.18.2 -> 2.20.1 - https://review.opendev.org/640727 Queens - 2.18.4 -> 2.20.1 - https://review.opendev.org/640710
Specifically it looks like we're already at the next issue, as tracked here:
https://github.com/kennethreitz/requests/issues/5065
Any concerns from anyone on these newer urllib3 updates? I guess we'll do them a bit later though.
It's still unclear to me why we're doing this at all. Our stable constraints lists are supposed to be a snapshot in time from when we released, modulo stable point release updates of the libraries we're maintaining. Agreeing to bump random dependencies on stable branches because of security vulnerabilities in them is a slippery slope toward our users expecting the project to be on top of vulnerability announcements for every one of the ~600 packages in our constraints list. Deployment projects already should not depend on our requirements team tracking security vulnerabilities, so need to have a mechanism to override constraints entries anyway if they're making such guarantees to their users (and I would also caution against doing that too). Distributions are far better equipped than our project to handle such tracking, as they generally get advance notice of vulnerabilities and selectively backport fixes for them. Trying to accomplish the same with a mix of old and new dependency versions in our increasingly aging stable and extended maintenance branches seems like a disaster waiting to happen.</soapbox> -- Jeremy Stanley