To be explicit, that testing platform means we require that OpenStack and its dependencies are installable *in a virtualenv*, not using distro python. So while this is a small imitation for this case (we cannot use cryptography that might require newer tooling to build than that ubuntu LTS would), the real motivation behind holding onto a lower-constraint for a longer time is in partnership with stable distros that ship OpenStack, who we don't want to alienate by giving them extra work of using newer releases than they are ready to.

I am OK with this approach; but there is a trade-off: we may be leading OpenStack consumers who don't use distro packaging that it's OK to use an older cryptography which may not have security support. It'd be interesting if we could ensure backwards compatibility through testing while also ensuring that anything installed with pip gets a new enough version... but frankly, I don't know offhand what approach would be best to do that, and I don't have the time to pursue it myself so the status quo wins :D.

Thanks for talking this through, I like when we're explicit about the motivations for what we do!

--

Jay Faulkner

Ironic PTL

TC Member