From 6b6bbad86612e91753ca98bbe3d60db48786e3f7 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Tue, 27 Feb 2024 15:56:40 -0600 Subject: [PATCH 1/7] Add docs for updating external dependencies --- developer-workflow/sbom.rst | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 756c175708..75f7d81ee1 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -66,7 +66,7 @@ After gathering this information: * ``name`` for the project name. * ``SPDXID`` which will be ``"SPDXRef-PACKAGE-{name}"``. - * ``licenseConcluded`` for the SPDX license identifier of the project license. + * ``licenseConcluded`` must be ``NOASSERTION``. * ``versionInfo`` for the version of the project. * ``downloadLocation`` should be an HTTPS URL for the project download as an archive. * ``checksums[0].checksumValue`` and ``.algorithm`` will be the SHA-256 @@ -107,3 +107,19 @@ When removing a dependency: that correct package is removed from the SBOM. 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and :cpy-file:`Tools/build/generate_sbom.py`. + +Updating external dependencies (cpython-source-deps) +---------------------------------------------------- + +Dependencies for Windows CPython builds are `stored in a separate repository `_ +and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. + +In this script the libraries to fetch are designated by ``{name}-{version}`` git refs being added to the ``libraries`` variable. +SBOM tooling in the CPython repository matches these git refs in order to build the :cpy-file:`Misc/externals.spdx.json` +SBOM file. When updating external dependencies for a CPython branch: + +1. Push the update to the ``cpython-source-deps`` repository and create a new git tag. +2. Update the entry for the project in ``get_externals.bat``. +3. Run ``make regen-sbom`` in the CPython source repository. +4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff`` +5. Commit the changes and have them merged together. From 6646cf8d782abad40d1fc31945b98d1c55dabb86 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 29 Feb 2024 08:26:44 -0600 Subject: [PATCH 2/7] Apply suggestions from code review Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> --- developer-workflow/sbom.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 75f7d81ee1..bd49a75a61 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -114,12 +114,14 @@ Updating external dependencies (cpython-source-deps) Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. -In this script the libraries to fetch are designated by ``{name}-{version}`` git refs being added to the ``libraries`` variable. -SBOM tooling in the CPython repository matches these git refs in order to build the :cpy-file:`Misc/externals.spdx.json` -SBOM file. When updating external dependencies for a CPython branch: +In this script the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable. +SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json` +SBOM file. -1. Push the update to the ``cpython-source-deps`` repository and create a new git tag. +When updating external dependencies for a CPython branch: + +1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag. 2. Update the entry for the project in ``get_externals.bat``. 3. Run ``make regen-sbom`` in the CPython source repository. -4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff`` +4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``. 5. Commit the changes and have them merged together. From cefc01d48aaa142585ddde2cef77e66755a02da3 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 29 Feb 2024 13:16:57 -0600 Subject: [PATCH 3/7] Add PCbuild/build.bat --regen option to docs --- developer-workflow/sbom.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index bd49a75a61..a97353d54b 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -122,6 +122,6 @@ When updating external dependencies for a CPython branch: 1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag. 2. Update the entry for the project in ``get_externals.bat``. -3. Run ``make regen-sbom`` in the CPython source repository. +3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` in the CPython source repository. 4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``. 5. Commit the changes and have them merged together. From a154e0129b682f3ab2e18d9a307cf361efd12512 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 4 Mar 2024 14:19:28 -0600 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Ezio Melotti --- developer-workflow/sbom.rst | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index a97353d54b..16da404f3e 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -111,17 +111,22 @@ When removing a dependency: Updating external dependencies (cpython-source-deps) ---------------------------------------------------- -Dependencies for Windows CPython builds are `stored in a separate repository `_ -and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. +Dependencies for Windows CPython builds are `stored in a separate repository +`_ and then fetched during +builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. -In this script the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable. -SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json` -SBOM file. +In this script the libraries to fetch are designated by ``{name}-{version}`` +Git refs being added to the ``libraries`` variable. +SBOM tooling in the CPython repository matches these Git refs in order +to build the :cpy-file:`Misc/externals.spdx.json` SBOM file. When updating external dependencies for a CPython branch: -1. Push the update to the ``cpython-source-deps`` repository and create a new Git tag. +1. Push the update to the ``cpython-source-deps`` repository and + create a new Git tag. 2. Update the entry for the project in ``get_externals.bat``. -3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` in the CPython source repository. -4. Verify the metadata (like version, download location) in ``externals.spdx.json`` SBOM is updated as expected with ``git diff``. +3. Run ``make regen-sbom`` or ``PCbuild/build.bat --regen`` + in the CPython source repository. +4. Use ``git diff`` to verify that the metadata (like version, download location) + in ``externals.spdx.json`` SBOM is updated as expected. 5. Commit the changes and have them merged together. From cc0709a46070c746194746aaa95767020f054e85 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 4 Mar 2024 14:19:46 -0600 Subject: [PATCH 5/7] Update developer-workflow/sbom.rst Co-authored-by: Ezio Melotti --- developer-workflow/sbom.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 16da404f3e..f1837b88b5 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -108,8 +108,8 @@ When removing a dependency: 5. Commit the changes to :cpy-file:`Misc/sbom.spdx.json` and :cpy-file:`Tools/build/generate_sbom.py`. -Updating external dependencies (cpython-source-deps) ----------------------------------------------------- +Updating external dependencies (``cpython-source-deps``) +-------------------------------------------------------- Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during From b32b691f14434299aa29b054061a139d77dea8f0 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 4 Mar 2024 14:44:25 -0600 Subject: [PATCH 6/7] Add warning for non-core developers and external dependencies --- developer-workflow/sbom.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index f1837b88b5..3e1c9e823d 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -111,6 +111,13 @@ When removing a dependency: Updating external dependencies (``cpython-source-deps``) -------------------------------------------------------- + .. note:: + Only core developers can push to the ``cpython-source-deps`` repository. + Pull requests are not accepted because the sources must be verified for + integrity. Contributors should create an issue requesting the updated + version and then wait for a core developer to prepare the new version + before proceeding with the next steps below. + Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. From 35887224c79be021b53a8b0172cecee180d916c9 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Mon, 11 Mar 2024 12:46:25 -0500 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: Carol Willing --- developer-workflow/sbom.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/developer-workflow/sbom.rst b/developer-workflow/sbom.rst index 3e1c9e823d..fbbd592ceb 100644 --- a/developer-workflow/sbom.rst +++ b/developer-workflow/sbom.rst @@ -113,8 +113,10 @@ Updating external dependencies (``cpython-source-deps``) .. note:: Only core developers can push to the ``cpython-source-deps`` repository. - Pull requests are not accepted because the sources must be verified for - integrity. Contributors should create an issue requesting the updated + + For this repo to maintain integrity, pull requests from contributors are not accepted. Instead of a pull request, + contributors should + create an issue requesting the updated version and then wait for a core developer to prepare the new version before proceeding with the next steps below. @@ -122,7 +124,7 @@ Dependencies for Windows CPython builds are `stored in a separate repository `_ and then fetched during builds of CPython for Windows in the script :cpy-file:`PCbuild/get_externals.bat`. -In this script the libraries to fetch are designated by ``{name}-{version}`` +In this :cpy-file:`PCbuild/get_externals.bat`, the libraries to fetch are designated by ``{name}-{version}`` Git refs being added to the ``libraries`` variable. SBOM tooling in the CPython repository matches these Git refs in order to build the :cpy-file:`Misc/externals.spdx.json` SBOM file.