Hello Glancers,

I was looking at a Cinder patch [0] and it made me realize that we
should do a glanceclient release that includes the
multihash-download-verification [1] before the next scheduled Stein
release (which was to be 3.0.0, basically Rocky with v1 support removed;
see [2]).  I think it would be good to have the new verification change
released so other projects can consume the code and we can find out
sooner if it breaks anyone.  (I'm worried about allow_md5_fallback=False
[6], which I think is definitely the right thing for the CLI client, but
the discussion about allowing users to pick an os_hash_algo on Iain's
spec-lite [4] is making me worry about the effect that default value
could have on other services.)

Here are the options:
(1) backport [1] to stable/rocky and cut 2.12.1
(2) cut 2.13.0 from master and make it the first Stein glanceclient,
leaving legacy md5 checksum verification the only validation option in Rocky
(3) wait for 3.0.0 to include [1]
(4) change the default for allow_md5_fallback to True for the data()
function [6] (the CLI code already explicitly sets it and won't need to
be adjusted [5]) and then do (1) or (2) or (3)

Obviously, I don't like (3).  Not sure I like (4) either, but figured we
should at least think about it.

If we pick (1), we should merge the periodic tips job change [3] to
master and immediately backport it to stable/rocky before cutting the
release.  That way we won't have any unreleased patches sitting in

Let me know what you think.


[0] https://review.openstack.org/#/c/611081/
[2] https://launchpad.net/python-glanceclient/+series
[3] https://review.openstack.org/#/c/599844/
[4] https://review.openstack.org/#/c/597648/

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to