Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: tighten build system to only use source pkgs in more places #7999

Merged
merged 3 commits into from
Oct 14, 2022
Merged

build: tighten build system to only use source pkgs in more places #7999

merged 3 commits into from
Oct 14, 2022

Conversation

SomberNight
Copy link
Member

@SomberNight SomberNight commented Oct 5, 2022
edited
Loading

  • the following requirements files are restricted to only include source packages:
    • requirements.txt
    • requirements-build-wine
    • requirements-build-mac
    • requirements-build-appimage
    • requirements-build-android
  • note that the first four (so excluding -build-android) have already been used via pip install --no-binary :all:

By only including hashes for the source packages of our dependencies, (and not using prebuilt binaries,) this paves the way towards auditing our dependencies in an easier way
In the future, I would like all deps to be built from source, perhaps with a small handful of whitelisted exceptions (e.g. pyqt5 and cryptography). All the requirements-*.txt files should include hashes for only source dists.
Then, as part of running freeze_packages.sh, we could audit the diff of the sources of our deps.

@SomberNight
Copy link
Member Author

Ok, so the Android build is failing...
I will split that commit out into a separate PR.

@SomberNight SomberNight mentioned this pull request Oct 5, 2022
Merged
@SomberNight SomberNight marked this pull request as ready for review October 5, 2022 17:19
@SomberNight
Copy link
Member Author

SomberNight commented Oct 5, 2022
edited
Loading

Hmm. The android build is still failing...

ok, so I believe the failure is due to rerunning freeze_packages.sh, which bumped sh==1.14.2 to sh==1.14.3.
kivy/python-for-android#2637

@SomberNight
Copy link
Member Author

SomberNight commented Oct 6, 2022
edited
Loading

note: planning to have #8002 first

edit: turns out rebasing p4a atm is difficult due to NDK version incompatibility with Qt, I cherry-picked relevant p4a upstream commits onto our p4a fork instead, in e.g. 0efc881

@SomberNight SomberNight merged commit 7d4538c into spesmilo:master Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build/packaging 📦
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@SomberNight