[all] Devstack jobs are failing due to a git security fix

Jeremy Stanley fungi at yuggoth.org
Wed Apr 13 22:05:31 UTC 2022

On 2022-04-13 11:59:20 +0000 (+0000), Jeremy Stanley wrote:
> Forgive me as caffeine is still finding its way into my veins, but
> it has occurred to me that the error is occurring because we're
> calling PBR (and thus Git) while installing the software, when
> that's not strictly necessary. It happens because we're taking
> advantage of pip's ability to call out to a build process before
> installing, but we can always separate building and installing. The
> former doesn't need root privs, and the latter doesn't need to call
> PBR/Git.
> Update the install-from-source routine to build a wheel as stack and
> then only sudo pip install the resulting wheel.

I was able to make a successful go of this in
https://review.opendev.org/837731 so if there's interest we have
evidence it's possible to continue down that path. Unfortunately, it
comes at the expense of losing editable mode installation (pip
install -e, setup.py develop) as that doesn't use pip's normal
package-then-install codepath and instead tightly couples the build
and install steps.

I've heard from a couple of people so far that editable mode support
in DevStack is critical to keep, so it's probably better to
resurrect the venv install solution in
https://review.opendev.org/558930 since that would allow us to drop
the `sudo pip install` nastiness once and for all.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220413/df1992c3/attachment.sig>

More information about the openstack-discuss mailing list