[openstack-dev] Please do *NOT* use "vendorized" versions of anything (here: glanceclient using requests.packages.urllib3)
Thomas Goirand
zigo at debian.org
Sun Sep 21 14:22:25 UTC 2014
On 09/18/2014 05:22 AM, Dean Troyer wrote:
> On Wed, Sep 17, 2014 at 3:53 PM, Robert Collins
> <robertc at robertcollins.net <mailto:robertc at robertcollins.net>> wrote:
>
> On 18 September 2014 08:01, Dean Troyer <dtroyer at gmail.com
> <mailto:dtroyer at gmail.com>> wrote:
> > Interestingly enough, the distros are doing exactly what they don't want us
> > to do, ie, rebuilding things to use 'their' tested version of dependencies
> > rather than the included one...
We don't use "our" tested version, we use upstream's, and a single
version of it.
> Indeed - but the distros are solving for two specific issues:
>
>
> No argument, just observing the recursive nature of this...
>
> Also, if we pin to a version, is the downstream consequence different?
> IIRC Thomas has had to do this with Django (1.7?) and Horizon, probably
> with others too.
Correct. And there's still some open issues with it, though mostly it
has been dealt with. There was also SQLAlchemy 0.8 then 0.9 a year ago
as well. Though since Mike Bayer works on OpenStack support now, I'm
sure I wont have to deal with any SQLA issue again.
It's a common mistake to think that "we just need to pin". Pinning (the
upper bound) doesn't solve any issue, apart from having the tests pass
the gate. This is sometimes urgent to "fix" the gate, so I understand
why this is done. The reality is that packages in a distribution share
common dependency, and OpenStack isn't alone in the distro.
Lucky, (almost?) everyone in the OpenStack community understand this,
and so far, I've received *a lot* of help from everyone. You have no
idea how much this is important to me. Kudos to everyone who do help or
who is at least gives moral support! :)
> As a provider of an app package directly to users, dealing with the
> front-line consequences of changing dependencies falls on me. And its
> one reason with this hat on I want static linking, or a Python
> equivalent of it (bundling/vendoring) at the app level.
Since a few days, the Debian policy manual explicitly forbids static
linking. I fully agree with the decision to make it explicit.
Cheers,
Thomas Goirand (zigo)
More information about the OpenStack-dev
mailing list