-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gh-114965: Updated bundled pip to 24.0 #114966
Conversation
sbidoul
commented
Feb 3, 2024
•
edited by bedevere-app
bot
Loading
edited by bedevere-app
bot
- Issue: Update bundled pip to 24.0 #114965
add8885
to
cfb6d75
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SBOM updates LGTM, hope the experience was straightforward :)
@sethmlarson I thought the idea of the new SBOM stuff was that we didn't have to change the SBOM data for a pip release? I'm going to assume you've reviewed that as I don't know what I'd check. Also, won't the SBOM data impact the automatic backports? I'll add the "needs backport" labels once this is merged, but if backports are going to neeed manual intervention on an ongoing basis, that's a bit awkward 🙁 |
Sorry, @sbidoul and @pfmoore, I could not cleanly backport this to
|
Sorry, @sbidoul and @pfmoore, I could not cleanly backport this to
|
@sethmlarson the SBOM procedure went well, although the CI had to remind me to do it, of course :) That's a small additional burden in the pip release process, especially the manual entry of the checksums. Any chance to automate that further? Regarding the backport, I'm stuck because cherry_picker says I'm not in a cpython repo. I do have the |
Updated bundled pip to 24.0 (cherry picked from commit a4c298c)
GH-114971 is a backport of this pull request to the 3.12 branch. |
I could make it work with an older version of cherry_picker. |
Updated bundled pip to 24.0. (cherry picked from commit a4c298c) Co-authored-by: Stéphane Bidoul <stephane.bidoul@gmail.com>
GH-114973 is a backport of this pull request to the 3.11 branch. |
Sounds like this bug, Cherry Picker is swallowing warnings and issuing a misleading one: |
@sethmlarson gentle ping on the SBOM question |
Thanks for the ping @pfmoore, responding to you and @sbidoul's comments:
My thought process for the SBOM tracking "checked in" dependencies was to have the review from experts on the dependency being updated to acknowledge the changes because all non-pip dependencies exist outside a packaging ecosystem and thus have no way to fetch any metadata. Perhaps I can move the pip SBOM generation into the This is also does a double-check that what gets checked into the repository actually is the artifact on PyPI, but moving this step to the Python release stage won't add any additional risk, more likely will only catch mistakes much later in the process (but I don't think this really matters).
You mention "checksums" here, do you mean more than the checksum for the wheel itself? That checksum update could also likely be automated, since whatever appears on PyPI for the pip version being claimed should be correct. |
I think the problem here is that the pip maintainers likely won’t check the SBOM data (I know I won’t) but instead will simply trust that the automation worked, so no added value is gained. Add to that the fact that the SBOM breaks automated backports, and the current approach doesn’t add any real value while increasing effort. I can also confirm that, like @sbidoul, I wouldn’t remember to do the SBOM process until prompted by CI. And I’m concerned about the checksums - I’m on Windows, and I don’t immediately know how to reliably calculate a checksum for a file. I’m sure there are utilities (or I could write something in Python) but I’d need to go and look for docs each time. Would I need to manually download all of pip’s dependencies to calculate the checksums? |
@pfmoore @sbidoul I've opened an issue that would move pip's automated discovery into the CPython release process, rather than the source repository, since pip is a special case as I noted above. Let me know if this proposal makes sense to you. Apologies to you both for the extra burden the past two releases have been. I've tried to optimize for as little manual work as possible, in many cases a bit is unavoidable but for pip it should be. |
Updated bundled pip to 24.0
Updated bundled pip to 24.0