SG-20243: security fix #17
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jfboismenu
commented
Nov 18, 2020
| # not expressly granted therein are reserved by Shotgun Software Inc. | ||
|
|
||
| requests==2.11.1 | ||
| certifi==2020.6.20 |
There was a problem hiding this comment.
Frozen requirements used to be the actual list of packages we install, since there wasn't any dependency, but now that file is generated by pip and requirements.txt is the actual list of stuff we want to install.
pscadding
approved these changes
Dec 15, 2020
| ) | ||
|
|
||
| # Quickly compute the number of requirements we have. | ||
| nb_dependencies = len([_ for _ in open("frozen_requirements.txt", "rt")]) |
There was a problem hiding this comment.
Would this cause issues if we have comments in the frozen_requirements file? Though there shouldn't really, since it is auto generate.
There was a problem hiding this comment.
nm the assert further down would cause someone to look at it, and hopefully see the issue if there was.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This branch introduces a new script called
update_python_packages.pythat allows to repackage the zip file at the root of the repository. It uses pip and the requirements.txt to figure out what needs to be installed and uses pip freeze to dump the exact list of all python packages that were installed. This allows us to have the high level and low level view of what packages were installed and allows Github to notify us if we have unsecure dependencies.Once all dependencies have been downloaded locally to a temporary folder, they are zipped up inside pkgs.zip.