gh-112302: Add Software Bill-of-Materials (SBOM) tracking for dependencies #112303
Conversation
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
|
Most changes to Python require a NEWS entry. Add one using the blurb_it web app or the blurb command-line tool. If this change has little impact on Python users, wait for a maintainer to apply the |
There was a problem hiding this comment.
I think a NEWS file would be good here.
This PR needs some documentation for how core developers are expected to run the tooling when updating source dependencies.
Yep, would be good to know who should run it and when (running it now, I get about 20 new entries in the JSON). Maybe something for the devguide. Is it something that should be in the CI? Can also be in followups.
|
Thanks for the review @hugovk!
I can certainly add something to the devguide, I've created a tracking issue for myself here: python/devguide#1241 For the 20 differences you are seeing, I believe I've pushed the update that would be required (in this case, updating pip). After fetching the latest branch are you seeing the same? |
|
I'm still seeing it, looks like this: hugovk@06ed0fa |
|
@hugovk Got it! I have to add filtering for gitignored files. |
|
No change to the JSON file this time 👍 |
|
@hugovk I'll add the trailing commas then I'm good to merge! Going to add more in followups :) |
|
Thanks! |
|
It would be good to ensure the generated file is treated as such by review tools. |
This PR is a simple adaptation of the tooling used for my experiment to create SBOMs for past and current Python versions. I created a
regen-sbomMakefile target. This PR needs some documentation for how core developers are expected to run the tooling when updating source dependencies.