[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Donald Stufft
donald at stufft.io
Wed Sep 17 15:22:48 UTC 2014
Looking at the code on my phone it looks completely correct to use the vendored copy here and it wouldn't actually work otherwise.
> On Sep 17, 2014, at 11:17 AM, Donald Stufft <donald at stufft.io> wrote:
>
> I don't know the specific situation but it's appropriate to do this if you're using requests and wish to interact with the urllib3 that requests is using.
>
>> On Sep 17, 2014, at 11:15 AM, Thomas Goirand <zigo at debian.org> wrote:
>>
>> Hi,
>>
>> I'm horrified by what I just found. I have just found out this in
>> glanceclient:
>>
>> File "<bla>/tests/test_ssl.py", line 19, in <module>
>> from requests.packages.urllib3 import poolmanager
>> ImportError: No module named packages.urllib3
>>
>> Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
>> Not from requests. The fact that requests is embedding its own version
>> of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
>> removed from requests.
>>
>> In Debian, we spend a lot of time to "un-vendorize" stuff, because
>> that's a security nightmare. I don't want to have to patch all of
>> OpenStack to do it there as well.
>>
>> And no, there's no good excuse here...
>>
>> Thomas Goirand (zigo)
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list