Add docs for updating external dependencies#1280
Uh oh!
There was an error while loading. Please reload this page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -66,7 +66,7 @@ After gathering this information: | ||
| * ``name`` for the project name. | ||
| * ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``. | ||
| * ``licenseConcluded`` must be ``NOASSERTION``. | ||
| * ``versionInfo`` for the version of the project. | ||
| * ``downloadLocation`` should be an HTTPS URL for the project download as an archive. | ||
| * ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256 | ||
| @@ -107,3 +107,35 @@ When removing a dependency: | ||
| that correct package is removed from the SBOM. | ||
| 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and | ||
| :cpy-file:`Tools/build/generate_sbom.py`. | ||
| Updating external dependencies (``cpython-source-deps``) | ||
| -------------------------------------------------------- | ||
| .. note:: | ||
| Only core developers can push to the ``cpython-source-deps`` repository. | ||
| For this repo to maintain integrity, pull requests from contributors are not accepted. Instead of a pull request, | ||
| contributors should | ||
| create an issue requesting the updated | ||
| version and then wait for a core developer to prepare the new version | ||
| before proceeding with the next steps below. | ||
| Dependencies for Windows CPython builds are `stored in a separate repository | ||
sethmlarson marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading. Please reload this page. | ||
| <https://github.com/python/cpython-source-deps>`_ and then fetched during | ||
| builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. | ||
| In this :cpy-file:`PCbuild/get_externals.bat`, the libraries to fetch are designated by ``{name}-{version}`` | ||
| Git refs being added to the ``libraries`` variable. | ||
Collaborator There was a problem hiding this comment. Would be helpful to clarify where the | ||
| SBOM tooling in the CPython repository matches these Git refs in order | ||
| to build the :cpy-file:`Misc/externals.spdx.json` SBOM file. | ||
| When updating external dependencies for a CPython branch: | ||
| 1. Push the update to the ``cpython-source-deps`` repository and | ||
| create a new Git tag. | ||
| 2. Update the entry for the project in ``get_externals.bat``. | ||
| 3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` | ||
| in the CPython source repository. | ||
| 4. Use ``git diff`` to verify that the metadata (like version, download location) | ||
| in ``externals.spdx.json`` SBOM is updated as expected. | ||
| 5. Commit the changes and have them merged together. | ||
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.