[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Clint Byrum clint at fewbar.com
Wed Sep 17 17:05:28 UTC 2014


This is where Debian's "one urllib3 to rule them all" model fails in
a modern fast paced world. Debian is arguably doing the right thing by
pushing everyone to use one API, and one library, so that when that one
library is found to be vulnerable to security problems, one update covers
everyone. Also, this is an HTTP/HTTPS library.. so nobody can make the
argument that security isn't paramount in this context.

But we all know that the "app store" model has started to bleed down into
backend applications, and now you just ship the virtualenv or docker
container that has your app as you tested it, and if that means you're
20 versions behind on urllib3, that's your problem, not the OS vendor's.

I think it is _completely_ irresponsible of requests, a library, to
embed another library. But I don't know if we can avoid making use of
it if we are going to be exposed to objects that are attached to it.

Anyway, Thomas, if you're going to send the mob with pitchforks and
torches somewhere, I'd say send them to wherever requests makes its
home. OpenStack is just buying their mutated product.

Excerpts from Donald Stufft's message of 2014-09-17 08:22:48 -0700:
> Looking at the code on my phone it looks completely correct to use the vendored copy here and it wouldn't actually work otherwise. 
> 
> > On Sep 17, 2014, at 11:17 AM, Donald Stufft <donald at stufft.io> wrote:
> > 
> > I don't know the specific situation but it's appropriate to do this if you're using requests and wish to interact with the urllib3 that requests is using.
> > 
> >> On Sep 17, 2014, at 11:15 AM, Thomas Goirand <zigo at debian.org> wrote:
> >> 
> >> Hi,
> >> 
> >> I'm horrified by what I just found. I have just found out this in
> >> glanceclient:
> >> 
> >> File "<bla>/tests/test_ssl.py", line 19, in <module>
> >>   from requests.packages.urllib3 import poolmanager
> >> ImportError: No module named packages.urllib3
> >> 
> >> Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
> >> Not from requests. The fact that requests is embedding its own version
> >> of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
> >> removed from requests.
> >> 
> >> In Debian, we spend a lot of time to "un-vendorize" stuff, because
> >> that's a security nightmare. I don't want to have to patch all of
> >> OpenStack to do it there as well.
> >> 
> >> And no, there's no good excuse here...
> >> 
> >> Thomas Goirand (zigo)
> >> 
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > 
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list