[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)

Clint Byrum clint at fewbar.com
Thu Sep 18 14:18:57 UTC 2014


Excerpts from Donald Stufft's message of 2014-09-18 04:58:06 -0700:
> 
> > On Sep 18, 2014, at 7:54 AM, Thomas Goirand <zigo at debian.org> wrote:
> > 
> >> 
> >> Linux distributions are not the end be all of distribution models and
> >> they don’t get to dictate to upstream.
> > 
> > Well, distributions is where the final user is, and where software gets
> > consumed. Our priority should be the end users.
> 
> 
> Distributions are not the only place that people get their software from,
> unless you think that the ~3 million downloads requests has received
> on PyPI in the last 30 days are distributions downloading requests to
> package in their OSs.
> 

Do pypi users not also need to be able to detect and fix any versions
of libraries they might have? If one has some virtualenvs with various
libraries and apps installed and no --system-site-packages, one would
probably still want to run 'pip freeze' in all of them and find out what
libraries are there and need to be fixed.

Anyway, generally security updates require a comprehensive strategy.
One common comprehensive strategy is version assertion.

Vendoring complicates that immensely.



More information about the OpenStack-dev mailing list