I was trying request-ifying oslo.vmware and ran into this as well: https://review.openstack.org/#/c/121956/
And we don't seem to have urllib3 in global-requirements either. Should we do that first? -- dims On Wed, Sep 17, 2014 at 1:05 PM, Clint Byrum <cl...@fewbar.com> wrote: > This is where Debian's "one urllib3 to rule them all" model fails in > a modern fast paced world. Debian is arguably doing the right thing by > pushing everyone to use one API, and one library, so that when that one > library is found to be vulnerable to security problems, one update covers > everyone. Also, this is an HTTP/HTTPS library.. so nobody can make the > argument that security isn't paramount in this context. > > But we all know that the "app store" model has started to bleed down into > backend applications, and now you just ship the virtualenv or docker > container that has your app as you tested it, and if that means you're > 20 versions behind on urllib3, that's your problem, not the OS vendor's. > > I think it is _completely_ irresponsible of requests, a library, to > embed another library. But I don't know if we can avoid making use of > it if we are going to be exposed to objects that are attached to it. > > Anyway, Thomas, if you're going to send the mob with pitchforks and > torches somewhere, I'd say send them to wherever requests makes its > home. OpenStack is just buying their mutated product. > > Excerpts from Donald Stufft's message of 2014-09-17 08:22:48 -0700: >> Looking at the code on my phone it looks completely correct to use the >> vendored copy here and it wouldn't actually work otherwise. >> >> > On Sep 17, 2014, at 11:17 AM, Donald Stufft <don...@stufft.io> wrote: >> > >> > I don't know the specific situation but it's appropriate to do this if >> > you're using requests and wish to interact with the urllib3 that requests >> > is using. >> > >> >> On Sep 17, 2014, at 11:15 AM, Thomas Goirand <z...@debian.org> wrote: >> >> >> >> Hi, >> >> >> >> I'm horrified by what I just found. I have just found out this in >> >> glanceclient: >> >> >> >> File "<bla>/tests/test_ssl.py", line 19, in <module> >> >> from requests.packages.urllib3 import poolmanager >> >> ImportError: No module named packages.urllib3 >> >> >> >> Please *DO NOT* do this. Instead, please use urllib3 from ... urllib3. >> >> Not from requests. The fact that requests is embedding its own version >> >> of urllib3 is an heresy. In Debian, the embedded version of urllib3 is >> >> removed from requests. >> >> >> >> In Debian, we spend a lot of time to "un-vendorize" stuff, because >> >> that's a security nightmare. I don't want to have to patch all of >> >> OpenStack to do it there as well. >> >> >> >> And no, there's no good excuse here... >> >> >> >> Thomas Goirand (zigo) >> >> >> >> _______________________________________________ >> >> OpenStack-dev mailing list >> >> OpenStack-dev@lists.openstack.org >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> > _______________________________________________ >> > OpenStack-dev mailing list >> > OpenStack-dev@lists.openstack.org >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
