-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/29/2015 08:18 PM, Ryan Hsu wrote: > Hi All, > > There was a change  2 days ago in django-openstack-auth that > introduces a new requirement oslo.config>=1.6.0 to the project, > which is now present in the 1.1.9 release of django-openstack-auth. > While this change is in sync with master requirements, > oslo.config>=1.6.0, it does not jive with stable/icehouse > requirements which is >=1.2.0,<1.5. Because stable/icehouse horizon > does not have an upper-bound version requirement for > django-openstack-auth, it currently takes this 1.1.9 release of > django-openstack-auth with the conflicting oslo.config requirement. > I have a bug open for this situation here . > > My first thought was to create a patch  to cap the > django-openstack-auth version in stable/icehouse requirements, > however, a reviewer pointed out that django-openstack-auth 1.1.8 > has a security fix that would be desired. My other thought was to > decrease the minimum required version in django-openstack-auth to > equal that of stable/icehouse requirements but this would then > conflict with master requirements. Does anyone have thoughts on how > to best resolve this?
I personally don't believe we should be responsible for fetching all security fixes in external libraries that don't maintain stable branches and hence just break their consumers. In ideal world, django-openstack-auth would have a stable branch where the security fix would be backported. But since the library does not follow best practices, I think we should just cap it at whatever version is compatible with other requirements, and allow deployers to locally patch their django-openstack-auth with security fixes. Bumping minimal oslo.config version due to the issue in django-openstack-auth seems like a wrong way to do it. /Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJU0KiPAAoJEC5aWaUY1u57uE0IAMrK8iupadmoE7c9gkO6otK/ JiccHV/O0Ov7pZY16NG20G8lkzapE2MWx4X3IYdc5Dxc4N7fBqUUpSwmEmWWbf5K NWrUYGkWQc7jvScsEg0Xb2qChQjrI0DupRZcfzm19ymqqO325WuEcoLU13YVigFT sin4BGwd6xk5G4dzRagXfo6sxGWdjd6/px7TEHeevTQ0sPH4mbyNgNn05qUqB69z +wQN2tZ2hecoY1ouxa3ThOcS+iiiyvGtiA3b9+QRFgp4vdgmV8SwPUE8bb5MvEen Gkei1K1zH6YI1Dgw9YWKeZuURUAnpTCfGwcP8cqGdOUDGDHtoD/aci9HWk8Y4UQ= =UAk1 -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev