Closed erikbosch closed 7 months ago
SebastianSchildt
commented
7 months ago I DO think this is not clever, because next time there is a vulnerability Securty advisory will say "it can not determine" whether we are affected", this happened to JWT token generation in the past before pinning things. So I think it is better puttting a specfic version. Otherwise I agree let's not spend much effort on this particular tool at the moment
erikbosch
commented
7 months ago I DO think this is not clever, because next time there is a vulnerability Securty advisory will say "it can not determine" whether we are affected", this happened to JWT token generation in the past before pinning things. So I think it is better puttting a specfic version. Otherwise I agree let's not spend much effort on this particular tool at the moment
OK, then I will rework to use an *.in* file
erikbosch
commented
7 months ago @SebastianSchildt - update to use requirements.in and generated requirements.txt. Makes the dependency list longer but stricter :-)
I suggest that we remove version numbers. That should maintaining for vulnerabilities easier. The rationale is that this component is provided "as is", we do not test it and we do not release it, and there is no defined acceptance/test criteria for nailing a version (and possibly create a release).
Side note:
IF we later intend to spend more time on this app we could consider an approach like dbcfeeder, having a
requirements.inwhere we only specify version if needed for functional reasons and compatible version~=rather than explicit version and then generate/updaterequirements.txtas part of release, so that it for releases represent a known working versionI did a very basic test after the update, I did not try to set up a S3 server