On Sep 17, 2014, at 3:42 PM, Ian Cordasco <ian.corda...@rackspace.com> wrote:

> Circling back to the issue of vendoring though: it’s a conscious decision
> to do this, and in the last two years there have been 2 CVEs reported for
> requests. There have been none for urllib3 and none for chardet. (Frankly
> I don’t think either urllib3 or chardet have had any CVEs reported against
> them, but let’s ignore that for now.) While security is typically the
> chief concern with vendoring, none of the libraries we use have had
> security issues rendering it a moot point in my opinion.

That’s just amazing.  Requests actually deals with security features 
*directly*, certificates, TLS connections, everything; to take the attitude 
that “well there’ve been hardly any security issues in a *whole two years*, so 
I’m not so concerned” is really not one that is acceptable by serious 
development teams.

Wouldn’t it be a problem for *you* if Requests itself were vendored?   You fix 
a major security hole, but your consuming projects don’t respond, their 
developers are on vacation, sorry, so that hole just keeps right on going.   
People make sure to upgrade their Requests libraries locally, but for all those 
poor saps who have *no idea* they have widely used apps that are bundling it 
silently, they remain totally open to vulnerabilities and the black hats have 
disneyland at their disposal.   The blame keeps going right to you as well.  Is 
that really how things should be done?

OpenStack-dev mailing list

Reply via email to