[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[requirements][requests] security update for requests in stable branches

On 2019-02-15 18:57:31 +0000 (+0000), Jesse Pretorius wrote:
> I would also hope that generally devstack tests would desire would
> be to test with the same thing that everyone is using to validate
> whether those new library versions might break things.

Continuing to test the frozen set of stable branch dependencies most
closely approximates, typically, the state of frozen contemporary
packaged versions on LTS distros which are backporting select
security fixes to the versions they already ship. By testing our
release under development (master branch) with latest versions of
our dependencies, we attempt to ensure that we work with the
versions most likely to be present in upcoming distro releases.

Updating dependencies on stable branches makes for a moving target,
and further destabilizes testing on releases which have a hard time
getting maintainers to keep their testing viable at all. We don't
recommend running our stable branch source with the exact source
code represented by the dependencies we froze at the time of
release. It's expected they will be run within the scope of
distributions which separately keep track of and patch security
vulnerabilities in their contemporary forks of our dependencies as a
small part of the overall running system.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <>