Bug 15010 - docker-registry requires python-glanceclient and python-keystoneclient
Summary: docker-registry requires python-glanceclient and python-keystoneclient
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 14674
  Show dependency treegraph
 
Reported: 2015-01-11 18:20 CET by David Walser
Modified: 2015-02-23 14:49 CET (History)
0 users

See Also:
Source RPM: docker-registry-0.9.0-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-01-11 18:20:40 CET 
docker-registry requires these two openstack packages which we cannot support for stable releases (they're unmaintained and rife with security issues).  Please drop the requires on those packages or drop docker-registry before Mageia 5.

We also need to drop:
python-ceilometerclient-1.0.9-5.mga5.src.rpm 
python-cinderclient-1.0.8-5.mga5.src.rpm 
python-glanceclient-0.12.0-5.mga5.src.rpm 
python-heatclient-0.2.8-5.mga5.src.rpm  
python-keystoneclient-0.7.1-5.mga5.src.rpm  
python-neutronclient-2.3.4-5.mga5.src.rpm 
python-novaclient-2.17.0-5.mga5.src.rpm 
python-swiftclient-2.0.3-5.mga5.src.rpm  
python-troveclient-1.0.3-5.mga5.src.rpm 


Reproducible: 

Steps to Reproduce:
David Walser 2015-01-11 18:20:57 CET

Blocks: (none) => 14674

Comment 1 Bruno Cornec 2015-01-14 09:41:55 CET 
Hello David,

I'm not sure I understand your point.

python-glanceclient is maintained (I could update it to 0.15 which is the upstream version at https://github.com/openstack/python-glanceclient)
python-keystoneclient is also maintained (I could again update it to a more recent version as well at https://github.com/openstack/python-keystoneclient)

I don't understand why you speak about unmaintained. Could you explain ?

If it's in Magia, if we want docker, then we need that package as well as fig and some others. Maybe we should create a small team to work on this ?

And docker-registry really needs these 2 IIRC.
Comment 2 David Walser 2015-01-14 15:47:27 CET 
They're unmaintained in Mageia.  They've never been consistently maintained since they were first imported.  They have frequent security issues that are never addressed.  I've already raised this issue before the last two Mageia releases.  The OpenStack stuff has too many security issues and is too confusing to rely on me to stay on top of it for stable.  Someone's going to have to show that they can stay on top of it and consistently maintain them, and that's never happened.  We cannot support those packages for stable and we can't ship them in Mageia 5.  I have a hard time believing that you can't have Docker without also having OpenStack.  I'd imagine there's some way you can disable that dependency in docker-registry.  For now, it needs to be done.
Comment 3 David Walser 2015-01-14 22:27:02 CET 
So docker-registry was already broken because it also depended on python-docker-registry-core, which doesn't exist.  I've removed all of these packages.  docker-registry can be reintroduced if it can be built without broken dependencies or openstack packages.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2015-02-23 14:49:18 CET 
Just FYI, the correct way to handle the requires/recommends here would be:

docker-registry recommends docker-registry-glance-driver (or whatever you end up calling it, not currently packaged), which requires python-glanceclient, which requires python-keystoneclient.  So docker-registry shouldn't recommend the *client packages directly.
Note You need to log in before you can comment on or make changes to this bug.