Update bootstrap requirements #464
Comments
|
One question this raises for me is if the utility of local wheels (intended to guard against compile-time security risks from upstream) really holds up to scrutiny when compared to the effort required to actually maintain them -- and the cost of falling behind, including in patching potential security issues in the build requirements. |
I roughly had the same opinion when I started dealing with all of this but I now think it's totally worth it. It's insulated us from a number of breaking changes in the Python ecosystem (most recently the PyYAML + Cython incompatibility) and adds security benefits like having cryptography dynamically link against OpenSSL instead of using the upstream wheels which bundle it. I've yet to personally run into issues with the bootstrap being that outdated but yeah, it's probably good to update it. I'll comment on the other issue though on whether we need poetry in the bootstrap or not. |
...and on the flip side this is way too manual of a process, it really should be as simple as updating the poetry/requirements input files, running a command that takes care of all the build stuff in containers, and then a final step to sign things, not 5-6 intermediate steps :/ |
|
#501 upgraded pip and build but not wheel. wheel is under PyPA and doesn't need a diff review so hopefully can be upgraded pretty easily. |
Our bootstrap requirements are very outdated, making it difficult to add any current dependencies without running into dependency hell.
buildis at version 0.3.0 from February 2021pipis at 21.3.1 from October 2021wheelis at 0.36.2 from December 2020And so on. In the Python ecosystem, build/dependency issues proliferate quickly as you fall behind, due to the huge variety of different systems involved, and the conflicting version constraints between them. If we'll want our build environment to be maintainable in this form, we'll need to update it more regularly.
The text was updated successfully, but these errors were encountered: