[openstack-dev] [olso] [cinder] upgrade issues in lock_path in cinder after oslo utils sync (was: creating a default for oslo config variables within a project?)

Yuriy Taraday yorik.sar at gmail.com
Fri Dec 6 21:14:50 UTC 2013


Hello, Sean.

I get the issue with upgrade path. User doesn't want to update config
unless one is forced to do so.
But introducing code that weakens security and let it stay is an
unconditionally bad idea.
It looks like we have to weigh two evils: having troubles upgrading and
lessening security. That's obvious.

Here are my thoughts on what we can do with it:
1. I think we should definitely force user to do appropriate configuration
to let us use secure ways to do locking.
2. We can wait one release to do so, e.g. issue a deprecation warning now
and force user to do it the right way later.
3. If we are going to do 2. we should do it in the service that is affected
not in the library because library shouldn't track releases of an
application that uses it. It should do its thing and do it right (secure).

So I would suggest to deal with it in Cinder by importing 'lock_path'
option after parsing configs and issuing a deprecation warning and setting
it to tempfile.gettempdir() if it is still None.

-- 

Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131207/73f0f9ce/attachment.html>


More information about the OpenStack-dev mailing list