Closed erikbosch closed 7 months ago
I DO think this is not clever, because next time there is a vulnerability Securty advisory will say "it can not determine" whether we are affected", this happened to JWT token generation in the past before pinning things. So I think it is better puttting a specfic version. Otherwise I agree let's not spend much effort on this particular tool at the moment
I DO think this is not clever, because next time there is a vulnerability Securty advisory will say "it can not determine" whether we are affected", this happened to JWT token generation in the past before pinning things. So I think it is better puttting a specfic version. Otherwise I agree let's not spend much effort on this particular tool at the moment
OK, then I will rework to use an *.in*
file
@SebastianSchildt - update to use requirements.in
and generated requirements.txt
. Makes the dependency list longer but stricter :-)
I suggest that we remove version numbers. That should maintaining for vulnerabilities easier. The rationale is that this component is provided "as is", we do not test it and we do not release it, and there is no defined acceptance/test criteria for nailing a version (and possibly create a release).
Side note:
IF we later intend to spend more time on this app we could consider an approach like dbcfeeder, having a
requirements.in
where we only specify version if needed for functional reasons and compatible version~=
rather than explicit version and then generate/updaterequirements.txt
as part of release, so that it for releases represent a known working versionI did a very basic test after the update, I did not try to set up a S3 server