See the discussion @ https://review.openstack.org/#/c/70750/
I think this is not an acceptable change for the stable branch. We
promise a "safe source of fixes", which means seamless upgrades that do
not require extra actions for followers of the stable branch. IMHO
replacing a library dependency by another library requires extra actions
to be taken on the deployer side (making sure you have the new
dependency packaged / present), so it's out of line.
Now I hear the pressure from the distributions which have already ripped
out oauth2 -- the change is indeed harmless and desirable for them. But
I still think we'd break our promise for a safe source of fixes to every
user of the stablebranch if we accepted that patch.
In that case it seems fair for distributions which want to replace
oauth2 with a safer alternative to carry a specific patch.
Thoughts ? Do we have past examples of introducing new deps in stable
branch updates ?
--
Thierry Carrez (ttx)
_______________________________________________
Openstack-stable-maint mailing list
Openstack-stable-maint@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-stable-maint