Hi,

I'm horrified by what I just found. I have just found out this in
glanceclient:

  File "<bla>/tests/test_ssl.py", line 19, in <module>
    from requests.packages.urllib3 import poolmanager
ImportError: No module named packages.urllib3

Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3.
Not from requests. The fact that requests is embedding its own version
of urllib3 is an heresy. In Debian, the embedded version of urllib3 is
removed from requests.

In Debian, we spend a lot of time to "un-vendorize" stuff, because
that's a security nightmare. I don't want to have to patch all of
OpenStack to do it there as well.

And no, there's no good excuse here...

Thomas Goirand (zigo)

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to