From 6b6bbad86612e91753ca98bbe3d60db48786e3f7 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Tue, 27 Feb 2024 15:56:40 -0600 Subject: [PATCH 1/7] Add docs for updating external dependencies --- developer-workflow/sbom.rst | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 756c17570..75f7d81ee 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -66,7 +66,7 @@ After gathering this information: * ``name`` for the project name. * ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``. - * ``licenseConcluded`` for the SPDX license identifier of the project license. + * ``licenseConcluded`` must be ``NOASSERTION``. * ``versionInfo`` for the version of the project. * ``downloadLocation`` should be an HTTPS URL for the project download as an archive. * ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256 @@ -107,3 +107,19 @@ When removing a dependency: that correct package is removed from the SBOM. 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and :cpy-file:`Tools/build/generate_sbom.py`. + +Updating external dependencies (cpython-source-deps) +---------------------------------------------------- + +Dependencies for Windows CPython builds are `stored in a separate repository `_ +and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. + +In this script the libraries to fetch are designated by ``{name}-{version}`` git refs being added to the ``libraries`` variable. +SBOM tooling in the CPython repository matches these git refs in order to build the :cpy-file:`Misc/externals.spdx.json` +SBOM file. When updating external dependencies for a CPython branch: + +1. Push the update to the ``cpython-source-deps`` repository and create a new git tag. +2. Update the entry for the project in ``get_externals.bat``. +3. Run ``make regen-sbom`` in the CPython source repository. +4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff`` +5. Commit the changes and have them merged together. From 6646cf8d782abad40d1fc31945b98d1c55dabb86 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 29 Feb 2024 08:26:44 -0600 Subject: [PATCH 2/7] Apply suggestions from code review Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- developer-workflow/sbom.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 75f7d81ee..bd49a75a6 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -114,12 +114,14 @@ Updating external dependencies (cpython-source-deps) Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. -In this script the libraries to fetch are designated by ``{name}-{version}`` git refs being added to the ``libraries`` variable. -SBOM tooling in the CPython repository matches these git refs in order to build the :cpy-file:`Misc/externals.spdx.json` -SBOM file. When updating external dependencies for a CPython branch: +In this script the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable. +SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json` +SBOM file. -1. Push the update to the ``cpython-source-deps`` repository and create a new git tag. +When updating external dependencies for a CPython branch: + +1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag. 2. Update the entry for the project in ``get_externals.bat``. 3. Run ``make regen-sbom`` in the CPython source repository. -4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff`` +4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``. 5. Commit the changes and have them merged together. From cefc01d48aaa142585ddde2cef77e66755a02da3 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 29 Feb 2024 13:16:57 -0600 Subject: [PATCH 3/7] Add PCbuild/build.bat --regen option to docs --- developer-workflow/sbom.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index bd49a75a6..a97353d54 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -122,6 +122,6 @@ When updating external dependencies for a CPython branch: 1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag. 2. Update the entry for the project in ``get_externals.bat``. -3. Run ``make regen-sbom`` in the CPython source repository. +3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` in the CPython source repository. 4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``. 5. Commit the changes and have them merged together. From a154e0129b682f3ab2e18d9a307cf361efd12512 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 4 Mar 2024 14:19:28 -0600 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Ezio Melotti --- developer-workflow/sbom.rst | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index a97353d54..16da404f3 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -111,17 +111,22 @@ When removing a dependency: Updating external dependencies (cpython-source-deps) ---------------------------------------------------- -Dependencies for Windows CPython builds are `stored in a separate repository `_ -and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. +Dependencies for Windows CPython builds are `stored in a separate repository +`_ and then fetched during +builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. -In this script the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable. -SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json` -SBOM file. +In this script the libraries to fetch are designated by ``{name}-{version}`` +Git refs being added to the ``libraries`` variable. +SBOM tooling in the CPython repository matches these Git refs in order +to build the :cpy-file:`Misc/externals.spdx.json` SBOM file. When updating external dependencies for a CPython branch: -1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag. +1. Push the update to the ``cpython-source-deps`` repository and + create a new Git tag. 2. Update the entry for the project in ``get_externals.bat``. -3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` in the CPython source repository. -4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``. +3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` + in the CPython source repository. +4. Use ``git diff`` to verify that the metadata (like version, download location) + in ``externals.spdx.json`` SBOM is updated as expected. 5. Commit the changes and have them merged together. From cc0709a46070c746194746aaa95767020f054e85 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 4 Mar 2024 14:19:46 -0600 Subject: [PATCH 5/7] Update developer-workflow/sbom.rst Co-authored-by: Ezio Melotti --- developer-workflow/sbom.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 16da404f3..f1837b88b 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -108,8 +108,8 @@ When removing a dependency: 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and :cpy-file:`Tools/build/generate_sbom.py`. -Updating external dependencies (cpython-source-deps) ----------------------------------------------------- +Updating external dependencies (``cpython-source-deps``) +-------------------------------------------------------- Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during From b32b691f14434299aa29b054061a139d77dea8f0 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 4 Mar 2024 14:44:25 -0600 Subject: [PATCH 6/7] Add warning for non-core developers and external dependencies --- developer-workflow/sbom.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index f1837b88b..3e1c9e823 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -111,6 +111,13 @@ When removing a dependency: Updating external dependencies (``cpython-source-deps``) -------------------------------------------------------- + .. note:: + Only core developers can push to the ``cpython-source-deps`` repository. + Pull requests are not accepted because the sources must be verified for + integrity. Contributors should create an issue requesting the updated + version and then wait for a core developer to prepare the new version + before proceeding with the next steps below. + Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. From 35887224c79be021b53a8b0172cecee180d916c9 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 11 Mar 2024 12:46:25 -0500 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: Carol Willing --- developer-workflow/sbom.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 3e1c9e823..fbbd592ce 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -113,8 +113,10 @@ Updating external dependencies (``cpython-source-deps``) .. note:: Only core developers can push to the ``cpython-source-deps`` repository. - Pull requests are not accepted because the sources must be verified for - integrity. Contributors should create an issue requesting the updated + + For this repo to maintain integrity, pull requests from contributors are not accepted. Instead of a pull request, + contributors should + create an issue requesting the updated version and then wait for a core developer to prepare the new version before proceeding with the next steps below. @@ -122,7 +124,7 @@ Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. -In this script the libraries to fetch are designated by ``{name}-{version}`` +In this :cpy-file:`PCbuild/get_externals.bat`, the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable. SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json` SBOM file. pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy