Add a security warning about downstream reuse

Consumers have chronically looked to our list of tested dependency versions for guidance on what to install, without realizing their use case is different from ours or considering the security implications of that choice. Include a prominent security warning in the README.rst, global-requirements.txt and generated upper-constraints.txt files in hopes of making these risks clearer. Change-Id: If012a379f0c4ec63825a9617972d4579c9c1b413 Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
2025-09-12 15:52:54 +00:00
parent d953bdbff8
commit b3da2bd39c
3 changed files with 31 additions and 1 deletions
--- a/README.rst
+++ b/README.rst
@@ -5,6 +5,17 @@
 .. image:: https://governance.openstack.org/tc/badges/requirements.svg
    :target: https://governance.openstack.org/tc/reference/tags/index.html

+Security Warning
+================
+
+OpenStack makes no security guarantees about third-party
+dependencies listed here, and does not keep track of any
+vulnerabilities they contain. Versions of these dependencies are
+frozen at each coordinated release in order to stabilize upstream
+testing, and can contain known vulnerabilities. Consumers are
+*STRONGLY* encouraged to rely on curated distributions of OpenStack
+or manage security patching of dependencies themselves.
+
 Resources and Documentation
 ===========================

--- a/global-requirements.txt
+++ b/global-requirements.txt
@@ -1,3 +1,11 @@
+### WARNING: OpenStack makes no security guarantees about third-party
+### dependencies listed here, and does not keep track of any
+### vulnerabilities they contain. Versions of these dependencies are
+### frozen at each coordinated release in order to stabilize upstream
+### testing, and can contain known vulnerabilities. Consumers are
+### *STRONGLY* encouraged to rely on curated distributions of OpenStack
+### or manage security patching of dependencies themselves.
+
 ## section:general

 aiomysql  # MIT License
--- a/openstack_requirements/cmds/generate.py
+++ b/openstack_requirements/cmds/generate.py
@@ -26,6 +26,17 @@ import fixtures
 from openstack_requirements import requirement


+SECURITY_WARNING = [
+    "# WARNING: OpenStack makes no security guarantees about third-party",
+    "# dependencies listed here, and does not keep track of any",
+    "# vulnerabilities they contain. Versions of these dependencies are",
+    "# frozen at each coordinated release in order to stabilize upstream",
+    "# testing, and can contain known vulnerabilities. Consumers are",
+    "# *STRONGLY* encouraged to rely on curated distributions of OpenStack",
+    "# or manage security patching of dependencies themselves.",
+    ]
+
+
 def _parse_freeze(text):
    """Parse a freeze into structured data.

@@ -257,5 +268,5 @@ def main(argv=None, stdout=None):
    denylist = _parse_denylist(options.denylist)
    frozen = [
        *sorted(_combine_freezes(freezes, denylist), key=_make_sort_key)]
-    stdout.writelines(frozen)
+    stdout.writelines(SECURITY_WARNING + frozen)
    stdout.flush()