On 9/18/14, 9:18 AM, "Clint Byrum" <cl...@fewbar.com> wrote:
>Excerpts from Donald Stufft's message of 2014-09-18 04:58:06 -0700: >> >> > On Sep 18, 2014, at 7:54 AM, Thomas Goirand <z...@debian.org> wrote: >> > >> >> >> >> Linux distributions are not the end be all of distribution models and >> >> they don’t get to dictate to upstream. >> > >> > Well, distributions is where the final user is, and where software >>gets >> > consumed. Our priority should be the end users. >> >> >> Distributions are not the only place that people get their software >>from, >> unless you think that the ~3 million downloads requests has received >> on PyPI in the last 30 days are distributions downloading requests to >> package in their OSs. >> > >Do pypi users not also need to be able to detect and fix any versions >of libraries they might have? If one has some virtualenvs with various >libraries and apps installed and no --system-site-packages, one would >probably still want to run 'pip freeze' in all of them and find out what >libraries are there and need to be fixed. > >Anyway, generally security updates require a comprehensive strategy. >One common comprehensive strategy is version assertion. > >Vendoring complicates that immensely. Except that even OpenStack doesn’t pin requests because of how extraordinarily stable our API is. While you can argue that Kenneth has non-standard opinions about his library, Cory and I take backwards compatibility and stability very seriously. This means anyone can upgrade to a newer version of requests without worrying that it will be backwards incompatible. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev