Add a security warning about downstream reuse

fungi · fungi · commit b3da2bd39c78 · 2025-09-12T17:22:51.000Z
Consumers have chronically looked to our list of tested dependency
versions for guidance on what to install, without realizing their
use case is different from ours or considering the security
implications of that choice.

Include a prominent security warning in the README.rst,
global-requirements.txt and generated upper-constraints.txt files
in hopes of making these risks clearer.

Change-Id: If012a379f0c4ec63825a9617972d4579c9c1b413
Signed-off-by: Jeremy Stanley &lt;fungi@yuggoth.org&gt;
diff --git a/README.rst b/README.rst
@@ -5,6 +5,17 @@
 .. image:: https://governance.openstack.org/tc/badges/requirements.svg
     :target: https://governance.openstack.org/tc/reference/tags/index.html
 
+Security Warning
+================
+
+OpenStack makes no security guarantees about third-party
+dependencies listed here, and does not keep track of any
+vulnerabilities they contain. Versions of these dependencies are
+frozen at each coordinated release in order to stabilize upstream
+testing, and can contain known vulnerabilities. Consumers are
+*STRONGLY* encouraged to rely on curated distributions of OpenStack
+or manage security patching of dependencies themselves.
+
 Resources and Documentation
 ===========================
 
diff --git a/global-requirements.txt b/global-requirements.txt
@@ -1,3 +1,11 @@
+### WARNING: OpenStack makes no security guarantees about third-party
+### dependencies listed here, and does not keep track of any
+### vulnerabilities they contain. Versions of these dependencies are
+### frozen at each coordinated release in order to stabilize upstream
+### testing, and can contain known vulnerabilities. Consumers are
+### *STRONGLY* encouraged to rely on curated distributions of OpenStack
+### or manage security patching of dependencies themselves.
+
 ## section:general
 
 aiomysql  # MIT License
diff --git a/openstack_requirements/cmds/generate.py b/openstack_requirements/cmds/generate.py
@@ -26,6 +26,17 @@
 from openstack_requirements import requirement
 
 
+SECURITY_WARNING = [
+    "# WARNING: OpenStack makes no security guarantees about third-party",
+    "# dependencies listed here, and does not keep track of any",
+    "# vulnerabilities they contain. Versions of these dependencies are",
+    "# frozen at each coordinated release in order to stabilize upstream",
+    "# testing, and can contain known vulnerabilities. Consumers are",
+    "# *STRONGLY* encouraged to rely on curated distributions of OpenStack",
+    "# or manage security patching of dependencies themselves.",
+    ]
+
+
 def _parse_freeze(text):
     """Parse a freeze into structured data.
 
@@ -257,5 +268,5 @@ def main(argv=None, stdout=None):
     denylist = _parse_denylist(options.denylist)
     frozen = [
         *sorted(_combine_freezes(freezes, denylist), key=_make_sort_key)]
-    stdout.writelines(frozen)
+    stdout.writelines(SECURITY_WARNING + frozen)
     stdout.flush()
