-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/29/2015 08:18 PM, Ryan Hsu wrote:
> Hi All,
> 
> There was a change [1] 2 days ago in django-openstack-auth that
> introduces a new requirement oslo.config>=1.6.0 to the project,
> which is now present in the 1.1.9 release of django-openstack-auth.
> While this change is in sync with master requirements,
> oslo.config>=1.6.0, it does not jive with stable/icehouse
> requirements which is >=1.2.0,<1.5. Because stable/icehouse horizon
> does not have an upper-bound version requirement for
> django-openstack-auth, it currently takes this 1.1.9 release of
> django-openstack-auth with the conflicting oslo.config requirement.
> I have a bug open for this situation here [2].
> 
> My first thought was to create a patch [3] to cap the
> django-openstack-auth version in stable/icehouse requirements,
> however, a reviewer pointed out that django-openstack-auth 1.1.8
> has a security fix that would be desired. My other thought was to
> decrease the minimum required version in django-openstack-auth to
> equal that of stable/icehouse requirements but this would then
> conflict with master requirements. Does anyone have thoughts on how
> to best resolve this?

I personally don't believe we should be responsible for fetching all
security fixes in external libraries that don't maintain stable
branches and hence just break their consumers. In ideal world,
django-openstack-auth would have a stable branch where the security
fix would be backported.

But since the library does not follow best practices, I think we
should just cap it at whatever version is compatible with other
requirements, and allow deployers to locally patch their
django-openstack-auth with security fixes.

Bumping minimal oslo.config version due to the issue in
django-openstack-auth seems like a wrong way to do it.

/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU0KiPAAoJEC5aWaUY1u57uE0IAMrK8iupadmoE7c9gkO6otK/
JiccHV/O0Ov7pZY16NG20G8lkzapE2MWx4X3IYdc5Dxc4N7fBqUUpSwmEmWWbf5K
NWrUYGkWQc7jvScsEg0Xb2qChQjrI0DupRZcfzm19ymqqO325WuEcoLU13YVigFT
sin4BGwd6xk5G4dzRagXfo6sxGWdjd6/px7TEHeevTQ0sPH4mbyNgNn05qUqB69z
+wQN2tZ2hecoY1ouxa3ThOcS+iiiyvGtiA3b9+QRFgp4vdgmV8SwPUE8bb5MvEen
Gkei1K1zH6YI1Dgw9YWKeZuURUAnpTCfGwcP8cqGdOUDGDHtoD/aci9HWk8Y4UQ=
=UAk1
-----END PGP SIGNATURE-----

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to