Comment # 7 on bug 1095041 from Robert Schweikert

The problem is that if a security issue is encountered in the bundled requests
package then we are dependent on the maintainers of botocore to provide a
patched requests implementation.

Given that getting things into boto and botocore is a rather lengthy
undertaking the question is really; would you be OK if we'd expose your AWS
credentials via a bug in the bundled requests package that we cannot fix in a
hurry? 

My guess is that the answer to that question is No and thus having requests
separate as it is today is the right thing to do.

We will pull the upstream patch to avoid the issue.