On 2019-02-15 18:57:31 +0000 (+0000), Jesse Pretorius wrote: [...]
I would also hope that generally devstack tests would desire would be to test with the same thing that everyone is using to validate whether those new library versions might break things. [...]
Continuing to test the frozen set of stable branch dependencies most closely approximates, typically, the state of frozen contemporary packaged versions on LTS distros which are backporting select security fixes to the versions they already ship. By testing our release under development (master branch) with latest versions of our dependencies, we attempt to ensure that we work with the versions most likely to be present in upcoming distro releases. Updating dependencies on stable branches makes for a moving target, and further destabilizes testing on releases which have a hard time getting maintainers to keep their testing viable at all. We don't recommend running our stable branch source with the exact source code represented by the dependencies we froze at the time of release. It's expected they will be run within the scope of distributions which separately keep track of and patch security vulnerabilities in their contemporary forks of our dependencies as a small part of the overall running system. -- Jeremy Stanley