[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Mike Bayer mbayer at redhat.com
Wed Sep 17 20:11:25 UTC 2014


On Sep 17, 2014, at 3:42 PM, Ian Cordasco <ian.cordasco at rackspace.com> wrote:

> 
> Circling back to the issue of vendoring though: it’s a conscious decision
> to do this, and in the last two years there have been 2 CVEs reported for
> requests. There have been none for urllib3 and none for chardet. (Frankly
> I don’t think either urllib3 or chardet have had any CVEs reported against
> them, but let’s ignore that for now.) While security is typically the
> chief concern with vendoring, none of the libraries we use have had
> security issues rendering it a moot point in my opinion.

That’s just amazing.  Requests actually deals with security features *directly*, certificates, TLS connections, everything; to take the attitude that “well there’ve been hardly any security issues in a *whole two years*, so I’m not so concerned” is really not one that is acceptable by serious development teams.

Wouldn’t it be a problem for *you* if Requests itself were vendored?   You fix a major security hole, but your consuming projects don’t respond, their developers are on vacation, sorry, so that hole just keeps right on going.   People make sure to upgrade their Requests libraries locally, but for all those poor saps who have *no idea* they have widely used apps that are bundling it silently, they remain totally open to vulnerabilities and the black hats have disneyland at their disposal.   The blame keeps going right to you as well.  Is that really how things should be done?





More information about the OpenStack-dev mailing list