[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Thomas Goirand
zigo at debian.org
Wed Sep 17 15:15:32 UTC 2014
Hi,
I'm horrified by what I just found. I have just found out this in
glanceclient:
File "<bla>/tests/test_ssl.py", line 19, in <module>
from requests.packages.urllib3 import poolmanager
ImportError: No module named packages.urllib3
Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
Not from requests. The fact that requests is embedding its own version
of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
removed from requests.
In Debian, we spend a lot of time to "un-vendorize" stuff, because
that's a security nightmare. I don't want to have to patch all of
OpenStack to do it there as well.
And no, there's no good excuse here...
Thomas Goirand (zigo)
More information about the OpenStack-dev
mailing list