Hash: SHA1

On 01/29/2015 08:18 PM, Ryan Hsu wrote:
> Hi All,
> There was a change [1] 2 days ago in django-openstack-auth that
> introduces a new requirement oslo.config>=1.6.0 to the project,
> which is now present in the 1.1.9 release of django-openstack-auth.
> While this change is in sync with master requirements,
> oslo.config>=1.6.0, it does not jive with stable/icehouse
> requirements which is >=1.2.0,<1.5. Because stable/icehouse horizon
> does not have an upper-bound version requirement for
> django-openstack-auth, it currently takes this 1.1.9 release of
> django-openstack-auth with the conflicting oslo.config requirement.
> I have a bug open for this situation here [2].
> My first thought was to create a patch [3] to cap the
> django-openstack-auth version in stable/icehouse requirements,
> however, a reviewer pointed out that django-openstack-auth 1.1.8
> has a security fix that would be desired. My other thought was to
> decrease the minimum required version in django-openstack-auth to
> equal that of stable/icehouse requirements but this would then
> conflict with master requirements. Does anyone have thoughts on how
> to best resolve this?

I personally don't believe we should be responsible for fetching all
security fixes in external libraries that don't maintain stable
branches and hence just break their consumers. In ideal world,
django-openstack-auth would have a stable branch where the security
fix would be backported.

But since the library does not follow best practices, I think we
should just cap it at whatever version is compatible with other
requirements, and allow deployers to locally patch their
django-openstack-auth with security fixes.

Bumping minimal oslo.config version due to the issue in
django-openstack-auth seems like a wrong way to do it.

Version: GnuPG v1


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to