-
-
Notifications
You must be signed in to change notification settings - Fork 30.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Software Bill-of-Materials for Windows source dependencies #112844
Comments
FTR, historically, macOS installer builds do not use |
@ned-deily That's good to know that these sources are patched! Ack on macOS, I must have misremembered something else. |
FTR, I have no concerns about that repo containing patches for other platforms. Virtually all the time those patches are taken from upstream, so they'll work everywhere. When we patch, we add another tag with an extra version field (e.g. the 8.6.13**.1** I just tagged for Tcl and Tk). And a particular release of Python should always pull from a tag, and those are only listed in |
(cherry picked from commit 45d8871) Co-authored-by: Seth Michael Larson <seth@python.org>
(cherry picked from commit d70ee13) Co-authored-by: Seth Michael Larson <seth@python.org>
Going to close this issue as we now have Windows SBOMs containing source dependencies for 3.13.0b1 🥳 |
…honGH-118521) (cherry picked from commit 1195c16) Co-authored-by: Seth Michael Larson <seth@python.org>
…honGH-118521) (cherry picked from commit 1195c16) Co-authored-by: Seth Michael Larson <seth@python.org>
Proposal:
Part of #112302
An SBOM document has been added for dependencies within CPython itself. This document is kept up-to-date using tooling and CI within the CPython repository. For building the Windows there exists a repository
cpython-source-deps
which "mirrors" the source code of projects not in the CPython git repo.These dependencies are pulled in optionally, I still need to investigate what combinations are possible, but I know the possible projects and versions for each CPython branch is captured currently in
PCBuild/get_externals.bat
.Will be investigating what the best method for creating an SBOM for these dependencies such that release-tools can stitch it into the final SBOMs that are distributed with release artifacts. There's a chance that no work needs to be done on this repository, in that case this issue will be migrated.
cc @zooba @ned-deily @ambv
Has this already been discussed elsewhere?
See the Discourse topic
Linked PRs
The text was updated successfully, but these errors were encountered: