[oslo] Bandit Strategy

Ben Nemec openstack at nemebean.com
Wed Jun 5 15:28:35 UTC 2019

Since it seems we need to backport this to the stable branches, I've 
added stable branch columns to https://ethercalc.openstack.org/ml1qj9xrnyfg

I know some backports have already been proposed, so if people can fill 
in the appropriate columns that would help avoid unnecessary work on 
projects that are already done.

Hopefully these will be clean backports, but I know at least one 
included a change to requirements.txt too. We'll need to make sure we 
don't accidentally backport any of those or we won't be able to release 
the stable branches.

As discussed in the meeting this week, we're only planning to backport 
to the active branches. The em branches can be updated if necessary, but 
we don't need to do a mass backport to them.

I think that's it. Let me know if you have any comments or questions. 


On 5/13/19 12:23 PM, Ben Nemec wrote:
> Nefarious cap bandits are running amok in the OpenStack community! Won't 
> someone take a stand against these villainous headwear thieves?!
> Oh, sorry, just pasted the elevator pitch for my new novel. ;-)
> Actually, this email is to summarize the plan we came up with in the 
> Oslo meeting this morning. Since we have a bunch of projects affected by 
> the Bandit breakage I wanted to make sure we had a common fix so we 
> don't have a bunch of slightly different approaches in each project. The 
> plan we agreed on in the meeting was to push a two patch series to each 
> repo - one to cap bandit <1.6.0 and one to uncap it with a !=1.6.0 
> exclusion. The first should be merged immediately to unblock ci, and the 
> latter can be rechecked once bandit 1.6.1 releases to verify that it 
> fixes the problem for us.
> We chose this approach instead of just tweaking the exclusion in tox.ini 
> because it's not clear that the current behavior will continue once 
> Bandit fixes the bug. Assuming they restore the old behavior, this 
> should require the least churn in our repos and means we're still 
> compatible with older versions that people may already have installed.
> I started pushing patches under 
> https://review.opendev.org/#/q/topic:cap-bandit (which prompted the 
> digression to start this email ;-) to implement this plan. This is 
> mostly intended to be informational, but if you have any concerns with 
> the plan above please do let us know immediately.
> Thanks.
> -Ben

More information about the openstack-discuss mailing list