2014-03-24 22:16 GMT+01:00 Adam Gandelman <adamg@ubuntu.com>:
I don't know of any examples of introducing *new* deps in stable branch updates, but there have been several occasions where version requirements were bumped higher to unblock gate issues. IMHO that can be worse for stable distros (as opposed to requiring a new dependency that most can provide)
We recently had a version bump for neutronclient and documented it in release notes https://wiki.openstack.org/wiki/ReleaseNotes/2013.2.2#Neutron But OpenStack clients don't have official stable branch, so in theory should be safe to update.
That said, I'm heavily leaning toward -1 on this as well. This isn't a new bug. Concerns about the use of the use python-oauth2 in Keystone on LP go a while now and a decision was made to ship optional oauth support in Havana's using python-oauth2. I don't think we can undo that now. A better solution would be to add a big ugly warning to documentation referencing relevant CVEs and mentioning the issue is fixed in Icehouse.
ok, let's do that - what would be the right place, under https://wiki.openstack.org/wiki/ReleaseNotes/2013.2.3#Known_Issues_and_Limit... or somewhere in official docs?
I also don't think its unreasonable for distros to carry their own cherry-picked patch from Icehouse to address the issue.
The other option would be to drop the optional code due to security concerns. Cheers, Alan