Robert Collins <robertc@...> writes: > The problem that occurs is the result of a few interacting things: > - requests has very very specific versions of urllib3 it works with. > So specific they aren't always released yet.
This should no longer be true. Our downstream redistributors pointed out to us that this was making their lives harder than they needed to be, so it's now our policy to only update to actual release versions of urllib3. > The second is trivially insufficient - anytime requests vendored > urllib3 is not precisely identical to a released urllib3, it becomes > impossible to satisfy that via dependency version pinning - the only > way to satisfy it is with the urllib3 in the distro that has whatever > change was needed included. Per my note above, if we restrict ourselves to relatively recent versions of requests (2.7.3+ IIRC) we should be fine. Of course, that doesn't mean we can actually do that... > The fourth approach meets the stone wall of 'but security' and 'no > redundancy permitted' - I don't have the energy to try and get through > the near-religious mindset I've encountered there before, though hey - > if Fedora and Debian and Ubuntu folk are all interested in figuring > out a sustainable way forward, that would be great: please don't feel > cut out, I'm just not expecting anything. It should be assumed that approach number four is a non-starter. This list has had that conversation before, which was a stunningly unpleasant experience for me and not one I want to repeat. Additionally, getting *all* of Fedora/Debian/Ubuntu on board with not unbundling requests is about as likely as hell freezing over. Cory __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev