[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Thomas Goirand zigo at debian.org
Wed Sep 17 15:15:32 UTC 2014


I'm horrified by what I just found. I have just found out this in

  File "<bla>/tests/test_ssl.py", line 19, in <module>
    from requests.packages.urllib3 import poolmanager
ImportError: No module named packages.urllib3

Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
Not from requests. The fact that requests is embedding its own version
of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
removed from requests.

In Debian, we spend a lot of time to "un-vendorize" stuff, because
that's a security nightmare. I don't want to have to patch all of
OpenStack to do it there as well.

And no, there's no good excuse here...

Thomas Goirand (zigo)

More information about the OpenStack-dev mailing list