[all][requirements][stable] requests version bump on stable brances {pike|queens} for CVE-2018-18074

Jeremy Stanley fungi at yuggoth.org
Wed May 22 22:49:31 UTC 2019


On 2019-05-22 23:49:55 +0200 (+0200), Dirk Müller wrote:
[...snip bits about pragmatic compromise over absolutes...]
> Perhaps the projects that currently use upper constraints don't
> care about a secure virtualenv/container build, and thats fine. It
> still does have a point to test against the versions end users
> will most likely have, and they most likely have security fixed
> versions (because they're good users and run against a stable
> security maintained enterprise operating system). We'd be doing
> ourselves a favor by testing a situation that is coming close to
> the end user situation in our CI.
[...]

Doing conformance testing on those distros with their packaged
versions of our external dependencies would much more closely
approximate what I think you want than testing with a shifting set
of old-and-new Python dependencies installed from PyPI. It would
probably also be easier to maintain over the long haul.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190522/c1cafc9d/attachment.sig>


More information about the openstack-discuss mailing list