Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add docs for updating external dependencies #1280

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion developer-workflow/sbom.rst
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ After gathering this information:

* ``name`` for the project name.
* ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``.
* ``licenseConcluded`` for the SPDX license identifier of the project license.
* ``licenseConcluded`` must be ``NOASSERTION``.
* ``versionInfo`` for the version of the project.
* ``downloadLocation`` should be an HTTPS URL for the project download as an archive.
* ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256
Expand Down Expand Up @@ -107,3 +107,35 @@ When removing a dependency:
that correct package is removed from the SBOM.
5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and
:cpy-file:`Tools/build/generate_sbom.py`.

Updating external dependencies (``cpython-source-deps``)
sethmlarson marked this conversation as resolved.
Show resolved Hide resolved
--------------------------------------------------------

.. note::
Only core developers can push to the ``cpython-source-deps`` repository.

For this repo to maintain integrity, pull requests from contributors are not accepted. Instead of a pull request,
contributors should
create an issue requesting the updated
version and then wait for a core developer to prepare the new version
before proceeding with the next steps below.

Dependencies for Windows CPython builds are `stored in a separate repository
sethmlarson marked this conversation as resolved.
Show resolved Hide resolved
<https://github.com/python/cpython-source-deps>`_ and then fetched during
builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`.

In this :cpy-file:`PCbuild/get_externals.bat`, the libraries to fetch are designated by ``{name}-{version}``
Git refs being added to the ``libraries`` variable.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be helpful to clarify where the libraries variable is.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still unclear.

SBOM tooling in the CPython repository matches these Git refs in order
to build the :cpy-file:`Misc/externals.spdx.json` SBOM file.

When updating external dependencies for a CPython branch:

1. Push the update to the ``cpython-source-deps`` repository and
create a new Git tag.
2. Update the entry for the project in ``get_externals.bat``.
3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen``
in the CPython source repository.
4. Use ``git diff`` to verify that the metadata (like version, download location)
in ``externals.spdx.json`` SBOM is updated as expected.
5. Commit the changes and have them merged together.
Loading