Files

Jeremy Stanley b3da2bd39c Add a security warning about downstream reuse

Consumers have chronically looked to our list of tested dependency
versions for guidance on what to install, without realizing their
use case is different from ours or considering the security
implications of that choice.

Include a prominent security warning in the README.rst,
global-requirements.txt and generated upper-constraints.txt files
in hopes of making these risks clearer.

Change-Id: If012a379f0c4ec63825a9617972d4579c9c1b413
Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>

2025-09-12 17:22:51 +00:00

1.2 KiB

Raw Permalink Blame History

Global Requirements and Constraints for OpenStack Projects

Security Warning

OpenStack makes no security guarantees about third-party dependencies listed here, and does not keep track of any vulnerabilities they contain. Versions of these dependencies are frozen at each coordinated release in order to stabilize upstream testing, and can contain known vulnerabilities. Consumers are STRONGLY encouraged to rely on curated distributions of OpenStack or manage security patching of dependencies themselves.

Resources and Documentation

Please refer to the dependency management documentation linked below for up to date documentation on how to use and interact with the requirements project.

Documentation: https://docs.openstack.org/project-team-guide/dependency-management.html
Wiki: https://wiki.openstack.org/wiki/Requirements
Bugs: https://launchpad.net/openstack-requirements
Source: https://opendev.org/openstack/requirements

1.2 KiB Raw Permalink Blame History

Global Requirements and Constraints for OpenStack Projects

Security Warning

Resources and Documentation

1.2 KiB

Raw Permalink Blame History