Open Stack

On 09-12-20 14:40:06, Jeremy Stanley wrote:
> On 2020-12-09 13:59:04 +0000 (+0000), Lee Yarwood wrote:
> > Hello all,
> > 
> > $subject [1][2] is breaking various <= stable/train jobs where we
> > attempt to pull bandit in while still using py2. This has been reported
> > upstream and it looks like the 1.6.3 release may end up being yanked.
> > 
> > If it isn't I've proposed the following requirements change to try to
> > cap bandit to the 1.6.2 release, assuming this is safe to do on stable:
> > 
> > Cap bandit at 1.6.2 when using py2
> > https://review.opendev.org/c/openstack/requirements/+/766170
> [...]
> 
> It's typically recommended to pin static analysis tools strictly
> less than the next major release in (test-)requirements lists of
> individual projects. Part of why it's blacklisted in the global
> requirements repository is so that the central upper-constraints.txt
> won't override project level decisions on what versions of these
> tools to run. Granted, it would also have made more sense if bandit
> uprevved to 2.0.0 when dropping Python 2.x support, so that
> in-project requirements in the form bandit<2 could have prevented
> the impact. But all that's to say, pinning bandit in stable branches
> of individual projects using it would be the more expected fix here.

ACK thanks Jeremy, I had started that below before going back to an
earlier attempt with requirements. I'll reopen these now and test things
in the Nova change.

https://review.opendev.org/q/topic:bug/1907438

Cheers,

-- 
Lee Yarwood                 A5D1 9385 88CB 7E5F BE64  6618 BCA6 6E33 F672 2D76
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201209/e1a0e003/attachment.sig>