Synchronise master with upstream

README.rst

@@ -5,6 +5,17 @@
 .. image:: https://governance.openstack.org/tc/badges/requirements.svg
     :target: https://governance.openstack.org/tc/reference/tags/index.html
 
+Security Warning
+================
+
+OpenStack makes no security guarantees about third-party
+dependencies listed here, and does not keep track of any
+vulnerabilities they contain. Versions of these dependencies are
+frozen at each coordinated release in order to stabilize upstream
+testing, and can contain known vulnerabilities. Consumers are
+*STRONGLY* encouraged to rely on curated distributions of OpenStack
+or manage security patching of dependencies themselves.
+
 Resources and Documentation
 ===========================
 

global-requirements.txt

@@ -1,3 +1,11 @@
+### WARNING: OpenStack makes no security guarantees about third-party
+### dependencies listed here, and does not keep track of any
+### vulnerabilities they contain. Versions of these dependencies are
+### frozen at each coordinated release in order to stabilize upstream
+### testing, and can contain known vulnerabilities. Consumers are
+### *STRONGLY* encouraged to rely on curated distributions of OpenStack
+### or manage security patching of dependencies themselves.
+
 ## section:general
 
 aiomysql  # MIT License
@@ -72,7 +80,6 @@ influxdb!=5.3.0  # MIT
 influxdb-client  # MIT
 infoblox-client  # Apache-2.0
 iso8601  # MIT
-jaeger-client  # Apache-2.0
 Jinja2  # BSD License (3 clause)
 jira  # BSD License (2 clause)
 jmespath  # MIT
@@ -81,7 +88,6 @@ jsonschema  # MIT
 kazoo  # Apache-2.0
 kombu!=4.0.2  # BSD
 kubernetes  # Apache-2.0
-ldap3  # LGPLv3
 libsass  # MIT
 libvirt-python!=4.1.0,!=4.2.0  # LGPLv2+
 lxml!=3.7.0  # BSD
@@ -137,7 +143,6 @@ python-ldap  # PSF
 python-memcached  # PSF
 pytz  # MIT
 pyudev  # LGPLv2.1+
-pywinrm  # MIT
 PyYAML  # MIT
 pyzabbix  # LGPL
 qrcode  # BSD
@@ -277,6 +282,7 @@ types-simplejson  # Apache-2.0
 typing  # PSF
 typing-extensions  # PSF
 tzdata  # MIT
+valkey  # MIT
 virtualbmc  # Apache-2.0
 virtualenv!=16.3.0  # MIT
 WebTest  # MIT
@@ -329,6 +335,7 @@ ironic-lib!=4.6.0  # Apache-2.0
 keystoneauth1  # Apache-2.0
 keystonemiddleware  # Apache-2.0
 kuryr-lib  # Apache-2.0
+lark  # MIT
 metalsmith  # Apache-2.0
 microversion-parse  # Apache-2.0
 mistral-lib  # Apache-2.0
@@ -384,7 +391,7 @@ pbr!=2.1.0  # Apache-2.0
 sherlock  # MIT
 stevedore!=3.0.0  # Apache-2.0
 tap-as-a-service  # Apache-2.0
-taskflow  # Apache-2.0
+taskflow!=6.0.0  # Apache-2.0
 tempest  # Apache-2.0
 tooz  # Apache-2.0
 tosca-parser  # Apache-2.0

openstack_requirements/cmds/edit_constraint.py

@@ -68,7 +68,7 @@ def main(argv=None, stdout=None):
     content = open(args[0], 'rt').read()
     reqs = requirement.parse(content, permit_urls=True)
     out_reqs = edit(reqs, args[1], args[2])
-    out = requirement.to_content(out_reqs, prefix=False)
+    out = requirement.to_content(out_reqs)
     with open(args[0] + '.tmp', 'wt') as f:
         f.write(out)
     if os.path.exists(args[0]):

openstack_requirements/cmds/generate.py

@@ -26,6 +26,17 @@
 from openstack_requirements import requirement
 
 
+SECURITY_WARNING = [
+    "# WARNING: OpenStack makes no security guarantees about third-party",
+    "# dependencies listed here, and does not keep track of any",
+    "# vulnerabilities they contain. Versions of these dependencies are",
+    "# frozen at each coordinated release in order to stabilize upstream",
+    "# testing, and can contain known vulnerabilities. Consumers are",
+    "# *STRONGLY* encouraged to rely on curated distributions of OpenStack",
+    "# or manage security patching of dependencies themselves.",
+    ]
+
+
 def _parse_freeze(text):
     """Parse a freeze into structured data.
 
@@ -257,5 +268,5 @@ def main(argv=None, stdout=None):
     denylist = _parse_denylist(options.denylist)
     frozen = [
         *sorted(_combine_freezes(freezes, denylist), key=_make_sort_key)]
-    stdout.writelines(frozen)
+    stdout.writelines(SECURITY_WARNING + frozen)
     stdout.flush()

openstack_requirements/project.py

@@ -15,43 +15,11 @@
 
 """The project abstraction."""
 
-import collections
 import configparser
 import errno
 import io
 import os
 
-from parsley import makeGrammar
-
-from openstack_requirements import requirement
-
-# PURE logic from here until the IO marker below.
-
-
-_Comment = collections.namedtuple('Comment', ['line'])
-_Extra = collections.namedtuple('Extra', ['name', 'content'])
-
-
-_extras_grammar = """
-ini = (line*:p extras?:e line*:l final:s) -> (''.join(p), e, ''.join(l+[s]))
-line = ~extras <(~'\\n' anything)* '\\n'>
-final = <(~'\\n' anything)* >
-extras = '[' 'e' 'x' 't' 'r' 'a' 's' ']' '\\n'+ body*:b -> b
-body = comment | extra
-comment = <'#' (~'\\n' anything)* '\\n'>:c '\\n'* -> comment(c)
-extra = name:n ' '* '=' line:l cont*:c '\\n'* -> extra(n, ''.join([l] + c))
-name = <(anything:x ?(x not in '\\n \\t='))+>
-cont = ' '+ <(~'\\n' anything)* '\\n'>
-"""
-_extras_compiled = makeGrammar(
-    _extras_grammar, {"comment": _Comment, "extra": _Extra})
-
-
-Error = collections.namedtuple('Error', ['message'])
-File = collections.namedtuple('File', ['filename', 'content'])
-StdOut = collections.namedtuple('StdOut', ['message'])
-Verbose = collections.namedtuple('Verbose', ['message'])
-
 
 def extras(project):
     """Return a dict of extra-name:content for the extras in setup.cfg."""
@@ -64,41 +32,6 @@ def extras(project):
     return dict(c.items('extras'))
 
 
-def merge_setup_cfg(old_content, new_extras):
-    # This is ugly. All the existing libraries handle setup.cfg's poorly.
-    prefix, extras, suffix = _extras_compiled(old_content).ini()
-    out_extras = []
-    if extras is not None:
-        for extra in extras:
-            if type(extra) is _Comment:
-                out_extras.append(extra)
-            elif type(extra) is _Extra:
-                if extra.name not in new_extras:
-                    out_extras.append(extra)
-                    continue
-                e = _Extra(
-                    extra.name,
-                    requirement.to_content(
-                        new_extras[extra.name], ':', '  ', False))
-                out_extras.append(e)
-            else:
-                raise TypeError('unknown type %r' % extra)
-    if out_extras:
-        extras_str = ['[extras]\n']
-        for extra in out_extras:
-            if type(extra) is _Comment:
-                extras_str.append(extra.line)
-            else:
-                extras_str.append(extra.name + ' =')
-                extras_str.append(extra.content)
-        if suffix:
-            extras_str.append('\n')
-        extras_str = ''.join(extras_str)
-    else:
-        extras_str = ''
-    return prefix + extras_str + suffix
-
-
 # IO from here to the end of the file.
 
 def _safe_read(project, filename, output=None):
@@ -143,47 +76,3 @@ def read(root):
     result['lower-constraints.txt'] = None
     _safe_read(result, 'lower-constraints.txt')
     return result
-
-
-def write(project, actions, stdout, verbose, noop=False):
-    """Write actions into project.
-
-    :param project: A project metadata dict.
-    :param actions: A list of action tuples - File or Verbose - that describe
-        what actions are to be taken.
-        Error objects write a message to stdout and trigger an exception at
-            the end of _write_project.
-        File objects describe a file to have content placed in it.
-        StdOut objects describe a message to write to stdout.
-        Verbose objects will write a message to stdout when verbose is True.
-    :param stdout: Where to write content for stdout.
-    :param verbose: If True Verbose actions will be written to stdout.
-    :param noop: If True nothing will be written to disk.
-    :return None:
-    :raises IOError: If the IO operations fail, IOError is raised. If this
-        happens some actions may have been applied and others not.
-    """
-    error = False
-    for action in actions:
-        if type(action) is Error:
-            error = True
-            stdout.write(action.message + '\n')
-        elif type(action) is File:
-            if noop:
-                continue
-            fullname = os.path.join(project['root'], action.filename)
-            tmpname = fullname + '.tmp'
-            with open(tmpname, 'wt') as f:
-                f.write(action.content)
-            if os.path.exists(fullname):
-                os.remove(fullname)
-            os.rename(tmpname, fullname)
-        elif type(action) is StdOut:
-            stdout.write(action.message)
-        elif type(action) is Verbose:
-            if verbose:
-                stdout.write(u"%s\n" % (action.message,))
-        else:
-            raise Exception("Invalid action %r" % (action,))
-    if error:
-        raise Exception("Error occurred processing %s" % (project['root']))