[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[requirements][requests] security update for requests in stable branches

> Updating dependencies on stable branches makes for a moving target,
> and further destabilizes testing on releases which have a hard time
> getting maintainers to keep their testing viable at all. We don't
> recommend running our stable branch source with the exact source
> code represented by the dependencies we froze at the time of
> release. It's expected they will be run within the scope of
> distributions which separately keep track of and patch security
> vulnerabilities in their contemporary forks of our dependencies as a
> small part of the overall running system.
> -- 
> Jeremy Stanley

It's sounding like we have two target audiences that have conflicting needs.

This makes a lot of sense for distros, and I think for the most part, our
policies so far have been in keeping with the needs of distro maintainers. It's
also less burden on upstream requirements management, which I think is very

The second group of folks are the deployment tools that are part of the
community that attempt to use pure upstream source as much as possible to
deploy stable versions of OpenStack services. My impressions is, due to lack of
understanding (due to lack of communication (due to lack of knowing there was a
need for communication)), most of these deployment projects expected the
defined requirements and constraints to be maintained and accurate to get a
decent installation of a given project.

I have no suggests for how to improve this, but I thought it worth pointing out
the issue.