Kami commented on issue #1594: URL: https://github.com/apache/libcloud/issues/1594#issuecomment-966689653
@justinmclean I read the ASF policy (https://www.apache.org/legal/resolved.html) and some of the related JIRA issues (https://issues.apache.org/jira/browse/LEGAL-572, https://issues.apache.org/jira/browse/LEGAL-220) and it doesn't appear that the answer is that straight and clear cut in this scenario (or maybe my interpretation is wrong or I missed some ticket). I haven't really found much prior art either. There are a couple of things at play here: 1. We don't bundle any dependency directly with the library. Dependencies are installed when installing library from PyPi using pip on install time. 2. Library with a problematic dependency in this case is a transitive dependency of requests on which Libcloud relies on and not a direct dependency. I'm of course all for being on the "safe side as much as possible", but sadly the issue is more complicated, because as mentioned above, Libcloud is a library and not an application. Libcloud is usually used as one of the many build blocks among many other libraries to build different application on top and similar. This means we should use as loose requirements as possible and not pin dependencies to specific versions since this will prevent many users from using the library if some other dependency in their stack depends on an older or a conflicting version (which is very likely the case with requests since 2.26.0 was released just recently and I'm personally aware of multiple situations like that myself). Apache Airflow is a bit different and doesn't have the same problem since they are an application and not a library. And applications are usually encouraged (and it's also a best practice for reproducibility, secure and other reasons) to pin all the dependencies to specific versions. In addition to that, we still support Python 3.5 and requests 2.2.26 only supports Python >= 3.6. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
