Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Software Bill-of-Materials for Windows source dependencies #112844

Closed
sethmlarson opened this issue Dec 7, 2023 · 4 comments
Closed

Add Software Bill-of-Materials for Windows source dependencies #112844

sethmlarson opened this issue Dec 7, 2023 · 4 comments
Labels
type-feature A feature request or enhancement type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Dec 7, 2023

Proposal:

Part of #112302

An SBOM document has been added for dependencies within CPython itself. This document is kept up-to-date using tooling and CI within the CPython repository. For building the Windows there exists a repository cpython-source-deps which "mirrors" the source code of projects not in the CPython git repo.

These dependencies are pulled in optionally, I still need to investigate what combinations are possible, but I know the possible projects and versions for each CPython branch is captured currently in PCBuild/get_externals.bat.

Will be investigating what the best method for creating an SBOM for these dependencies such that release-tools can stitch it into the final SBOMs that are distributed with release artifacts. There's a chance that no work needs to be done on this repository, in that case this issue will be migrated.

cc @zooba @ned-deily @ambv

Has this already been discussed elsewhere?

See the Discourse topic

Linked PRs

@ned-deily
Copy link
Member

FTR, historically, macOS installer builds do not use cpython-source-deps and there are no plans to do so. That repo was created specifically for Windows builds and has contained patches to various upstream releases (like here) that might not apply to other platforms and doesn't contain patches that may be needed on other platforms like for the macOS installer.

@sethmlarson
Copy link
Contributor Author

@ned-deily That's good to know that these sources are patched! Ack on macOS, I must have misremembered something else.

@zooba
Copy link
Member

zooba commented Dec 8, 2023

FTR, I have no concerns about that repo containing patches for other platforms. Virtually all the time those patches are taken from upstream, so they'll work everywhere.

When we patch, we add another tag with an extra version field (e.g. the 8.6.13**.1** I just tagged for Tcl and Tk). And a particular release of Python should always pull from a tag, and those are only listed in get_externals.bat (there are other references in some of the .props files, but those aren't as easy to parse out).

miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 29, 2024
(cherry picked from commit 45d8871)

Co-authored-by: Seth Michael Larson <seth@python.org>
hugovk pushed a commit that referenced this issue Feb 29, 2024
…6128)

Co-authored-by: Seth Michael Larson <seth@python.org>
woodruffw pushed a commit to woodruffw-forks/cpython that referenced this issue Mar 4, 2024
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Apr 16, 2024
(cherry picked from commit d70ee13)

Co-authored-by: Seth Michael Larson <seth@python.org>
zooba pushed a commit that referenced this issue Apr 16, 2024
(cherry picked from commit d70ee13)

Co-authored-by: Seth Michael Larson <seth@python.org>
diegorusso pushed a commit to diegorusso/cpython that referenced this issue Apr 17, 2024
sethmlarson added a commit to sethmlarson/cpython that referenced this issue May 2, 2024
@sethmlarson
Copy link
Contributor Author

Going to close this issue as we now have Windows SBOMs containing source dependencies for 3.13.0b1 🥳

miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 20, 2024
…honGH-118521)

(cherry picked from commit 1195c16)

Co-authored-by: Seth Michael Larson <seth@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 20, 2024
…honGH-118521)

(cherry picked from commit 1195c16)

Co-authored-by: Seth Michael Larson <seth@python.org>
hugovk pushed a commit that referenced this issue May 20, 2024
…-118521) (#119237)

Co-authored-by: Seth Michael Larson <seth@python.org>
hugovk pushed a commit that referenced this issue May 20, 2024
…-118521) (#119238)

Co-authored-by: Seth Michael Larson <seth@python.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Development

No branches or pull requests

3 participants