Merge "Add a security warning about downstream reuse"

Zuul · openstack-gerrit · commit 53d3ce5d4f3b · 2025-10-14T04:09:56.000Z
diff --git a/README.rst b/README.rst
@@ -5,6 +5,17 @@
 .. image:: https://governance.openstack.org/tc/badges/requirements.svg
     :target: https://governance.openstack.org/tc/reference/tags/index.html
 
+Security Warning
+================
+
+OpenStack makes no security guarantees about third-party
+dependencies listed here, and does not keep track of any
+vulnerabilities they contain. Versions of these dependencies are
+frozen at each coordinated release in order to stabilize upstream
+testing, and can contain known vulnerabilities. Consumers are
+*STRONGLY* encouraged to rely on curated distributions of OpenStack
+or manage security patching of dependencies themselves.
+
 Resources and Documentation
 ===========================
 
diff --git a/global-requirements.txt b/global-requirements.txt
@@ -1,3 +1,11 @@
+### WARNING: OpenStack makes no security guarantees about third-party
+### dependencies listed here, and does not keep track of any
+### vulnerabilities they contain. Versions of these dependencies are
+### frozen at each coordinated release in order to stabilize upstream
+### testing, and can contain known vulnerabilities. Consumers are
+### *STRONGLY* encouraged to rely on curated distributions of OpenStack
+### or manage security patching of dependencies themselves.
+
 ## section:general
 
 aiomysql  # MIT License
diff --git a/openstack_requirements/cmds/generate.py b/openstack_requirements/cmds/generate.py
@@ -26,6 +26,17 @@
 from openstack_requirements import requirement
 
 
+SECURITY_WARNING = [
+    "# WARNING: OpenStack makes no security guarantees about third-party",
+    "# dependencies listed here, and does not keep track of any",
+    "# vulnerabilities they contain. Versions of these dependencies are",
+    "# frozen at each coordinated release in order to stabilize upstream",
+    "# testing, and can contain known vulnerabilities. Consumers are",
+    "# *STRONGLY* encouraged to rely on curated distributions of OpenStack",
+    "# or manage security patching of dependencies themselves.",
+    ]
+
+
 def _parse_freeze(text):
     """Parse a freeze into structured data.
 
@@ -257,5 +268,5 @@ def main(argv=None, stdout=None):
     denylist = _parse_denylist(options.denylist)
     frozen = [
         *sorted(_combine_freezes(freezes, denylist), key=_make_sort_key)]
-    stdout.writelines(frozen)
+    stdout.writelines(SECURITY_WARNING + frozen)
     stdout.flush()
