Add docs for updating external dependencies #1280
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -66,7 +66,7 @@ After gathering this information: | |
|
|
||
| * ``name`` for the project name. | ||
| * ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``. | ||
| * ``licenseConcluded`` must be ``NOASSERTION``. | ||
| * ``versionInfo`` for the version of the project. | ||
| * ``downloadLocation`` should be an HTTPS URL for the project download as an archive. | ||
| * ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256 | ||
|
|
@@ -107,3 +107,19 @@ When removing a dependency: | |
| that correct package is removed from the SBOM. | ||
| 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and | ||
| :cpy-file:`Tools/build/generate_sbom.py`. | ||
|
|
||
| Updating external dependencies (cpython-source-deps) | ||
| ---------------------------------------------------- | ||
|
|
||
| Dependencies for Windows CPython builds are `stored in a separate repository <https://github.com/python/cpython-source-deps>`_ | ||
|
There was a problem hiding this comment. Some binaries are also stored in https://github.com/python/cpython-bin-deps, though generally they should also have sources in the source-deps repo. Is this distinction important here? There was a problem hiding this comment. Do any of the cpython-bin-deps get shipped along with the CPython artifacts? If they're derived from the cpython-source-deps repository I think we should be okay. There was a problem hiding this comment. I think the only one that isn't derived from |
||
| and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| In this script the libraries to fetch are designated by ``{name}-{version}`` git refs being added to the ``libraries`` variable. | ||
| SBOM tooling in the CPython repository matches these git refs in order to build the :cpy-file:`Misc/externals.spdx.json` | ||
| SBOM file. When updating external dependencies for a CPython branch: | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| 1. Push the update to the ``cpython-source-deps`` repository and create a new git tag. | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Maybe worth noting that this can only be done by a core committer, and we don't accept PRs for it (because we need to verify the sources have come from the right source and are unmodified, and our trust boundary for this is "has the commit bit"). Also might be worth noting that sometimes there's a build step involved and the core committer will then push a tag to In practice for contributors, what this usually means is that they should post an issue requesting the updated version, wait for a core dev to say the tags are ready, and then the contributor can continue with the following steps. There was a problem hiding this comment. I've addressed this comment in b32b691. Do you think we should cover the cpython-bin-deps part here as well? There was a problem hiding this comment. Not in the same note, but it ought to be documented somewhere. At the very least, we should mention the |
||
| 2. Update the entry for the project in ``get_externals.bat``. | ||
| 3. Run ``make regen-sbom`` in the CPython source repository. | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff`` | ||
sethmlarson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 5. Commit the changes and have them merged together. | ||
Uh oh!
There was an error while loading. Please reload this page.