Looking at the code on my phone it looks completely correct to use the vendored copy here and it wouldn't actually work otherwise.
> On Sep 17, 2014, at 11:17 AM, Donald Stufft <don...@stufft.io> wrote: > > I don't know the specific situation but it's appropriate to do this if you're > using requests and wish to interact with the urllib3 that requests is using. > >> On Sep 17, 2014, at 11:15 AM, Thomas Goirand <z...@debian.org> wrote: >> >> Hi, >> >> I'm horrified by what I just found. I have just found out this in >> glanceclient: >> >> File "<bla>/tests/test_ssl.py", line 19, in <module> >> from requests.packages.urllib3 import poolmanager >> ImportError: No module named packages.urllib3 >> >> Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3. >> Not from requests. The fact that requests is embedding its own version >> of urllib3 is an heresy. In Debian, the embedded version of urllib3 is >> removed from requests. >> >> In Debian, we spend a lot of time to "un-vendorize" stuff, because >> that's a security nightmare. I don't want to have to patch all of >> OpenStack to do it there as well. >> >> And no, there's no good excuse here... >> >> Thomas Goirand (zigo) >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev