Bug 15010

Summary: docker-registry requires python-glanceclient and python-keystoneclient
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Bruno Cornec <bruno>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: docker-registry-0.9.0-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 14674    

Description David Walser 2015-01-11 18:20:40 CET 
docker-registry requires these two openstack packages which we cannot support for stable releases (they're unmaintained and rife with security issues).  Please drop the requires on those packages or drop docker-registry before Mageia 5.

We also need to drop:
python-ceilometerclient-1.0.9-5.mga5.src.rpm 
python-cinderclient-1.0.8-5.mga5.src.rpm 
python-glanceclient-0.12.0-5.mga5.src.rpm 
python-heatclient-0.2.8-5.mga5.src.rpm  
python-keystoneclient-0.7.1-5.mga5.src.rpm  
python-neutronclient-2.3.4-5.mga5.src.rpm 
python-novaclient-2.17.0-5.mga5.src.rpm 
python-swiftclient-2.0.3-5.mga5.src.rpm  
python-troveclient-1.0.3-5.mga5.src.rpm 


Reproducible: 

Steps to Reproduce:
David Walser 2015-01-11 18:20:57 CET

Blocks: (none) => 14674

Comment 1 Bruno Cornec 2015-01-14 09:41:55 CET 
Hello David,

I'm not sure I understand your point.

python-glanceclient is maintained (I could update it to 0.15 which is the upstream version at https://github.com/openstack/python-glanceclient)
python-keystoneclient is also maintained (I could again update it to a more recent version as well at https://github.com/openstack/python-keystoneclient)

I don't understand why you speak about unmaintained. Could you explain ?

If it's in Magia, if we want docker, then we need that package as well as fig and some others. Maybe we should create a small team to work on this ?

And docker-registry really needs these 2 IIRC.
Comment 2 David Walser 2015-01-14 15:47:27 CET 
They're unmaintained in Mageia.  They've never been consistently maintained since they were first imported.  They have frequent security issues that are never addressed.  I've already raised this issue before the last two Mageia releases.  The OpenStack stuff has too many security issues and is too confusing to rely on me to stay on top of it for stable.  Someone's going to have to show that they can stay on top of it and consistently maintain them, and that's never happened.  We cannot support those packages for stable and we can't ship them in Mageia 5.  I have a hard time believing that you can't have Docker without also having OpenStack.  I'd imagine there's some way you can disable that dependency in docker-registry.  For now, it needs to be done.
Comment 3 David Walser 2015-01-14 22:27:02 CET 
So docker-registry was already broken because it also depended on python-docker-registry-core, which doesn't exist.  I've removed all of these packages.  docker-registry can be reintroduced if it can be built without broken dependencies or openstack packages.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2015-02-23 14:49:18 CET 
Just FYI, the correct way to handle the requires/recommends here would be:

docker-registry recommends docker-registry-glance-driver (or whatever you end up calling it, not currently packaged), which requires python-glanceclient, which requires python-keystoneclient.  So docker-registry shouldn't recommend the *client packages directly.