Skip to content

Add docs for updating external dependencies #1280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add docs for updating external dependencies #1280

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6b6bbad
Add docs for updating external dependencies
sethmlarson Feb 27, 2024
6646cf8
Apply suggestions from code review
sethmlarson Feb 29, 2024
cefc01d
Add PCbuild/build.bat --regen option to docs
sethmlarson Feb 29, 2024
a154e01
Apply suggestions from code review
sethmlarson Mar 4, 2024
cc0709a
Update developer-workflow/sbom.rst
sethmlarson Mar 4, 2024
b32b691
Add warning for non-core developers and external dependencies
sethmlarson Mar 4, 2024
3588722
Apply suggestions from code review
sethmlarson Mar 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply suggestions from code review 
Co-authored-by: Ezio Melotti <[email protected]>
  • Loading branch information
@sethmlarson @ezio-melotti
sethmlarson and ezio-melotti authored Mar 4, 2024
commit a154e0129b682f3ab2e18d9a307cf361efd12512
21 changes: 13 additions & 8 deletions developer-workflow/sbom.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,17 +111,22 @@ When removing a dependency:
Updating external dependencies (cpython-source-deps)
----------------------------------------------------

Dependencies for Windows CPython builds are `stored in a separate repository <https://github.com/python/cpython-source-deps>`_
and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`.
Dependencies for Windows CPython builds are `stored in a separate repository
<https://github.com/python/cpython-source-deps>`_ and then fetched during
builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`.

In this script the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable.
SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json`
SBOM file.
In this script the libraries to fetch are designated by ``{name}-{version}``
Git refs being added to the ``libraries`` variable.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be helpful to clarify where the libraries variable is.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is still unclear.

SBOM tooling in the CPython repository matches these Git refs in order
to build the :cpy-file:`Misc/externals.spdx.json` SBOM file.

When updating external dependencies for a CPython branch:

1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag.
1. Push the update to the ``cpython-source-deps`` repository and
create a new Git tag.
2. Update the entry for the project in ``get_externals.bat``.
3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` in the CPython source repository.
4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``.
3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen``
in the CPython source repository.
4. Use ``git diff`` to verify that the metadata (like version, download location)
in ``externals.spdx.json`` SBOM is updated as expected.
5. Commit the changes and have them merged together.