Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Software Bill-of-Materials for Windows source dependencies #112844

Closed
sethmlarson opened this issue Dec 7, 2023 · 4 comments
Closed

Add Software Bill-of-Materials for Windows source dependencies #112844

sethmlarson opened this issue Dec 7, 2023 · 4 comments
Labels
type-feature A feature request or enhancement type-security A security issue

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Dec 7, 2023
edited by bedevere-app bot
Loading

Proposal:

Part of #112302

An SBOM document has been added for dependencies within CPython itself. This document is kept up-to-date using tooling and CI within the CPython repository. For building the Windows there exists a repository cpython-source-deps which "mirrors" the source code of projects not in the CPython git repo.

These dependencies are pulled in optionally, I still need to investigate what combinations are possible, but I know the possible projects and versions for each CPython branch is captured currently in PCBuild/get_externals.bat.

Will be investigating what the best method for creating an SBOM for these dependencies such that release-tools can stitch it into the final SBOMs that are distributed with release artifacts. There's a chance that no work needs to be done on this repository, in that case this issue will be migrated.

cc @zooba @ned-deily @ambv

Has this already been discussed elsewhere?

See the Discourse topic

Linked PRs
@sethmlarson sethmlarson added type-feature A feature request or enhancement type-security A security issue labels Dec 7, 2023
@sethmlarson sethmlarson mentioned this issue Dec 7, 2023
Open
@ned-deily
Copy link
Member

FTR, historically, macOS installer builds do not use cpython-source-deps and there are no plans to do so. That repo was created specifically for Windows builds and has contained patches to various upstream releases (like here) that might not apply to other platforms and doesn't contain patches that may be needed on other platforms like for the macOS installer.

@sethmlarson
Copy link
Contributor Author

@ned-deily That's good to know that these sources are patched! Ack on macOS, I must have misremembered something else.

@zooba
Copy link
Member

zooba commented Dec 8, 2023

FTR, I have no concerns about that repo containing patches for other platforms. Virtually all the time those patches are taken from upstream, so they'll work everywhere.

When we patch, we add another tag with an extra version field (e.g. the 8.6.13**.1** I just tagged for Tcl and Tk). And a particular release of Python should always pull from a tag, and those are only listed in get_externals.bat (there are other references in some of the .props files, but those aren't as easy to parse out).

@bedevere-app bedevere-app bot mentioned this issue Feb 21, 2024
Merged
@sethmlarson sethmlarson mentioned this issue Feb 27, 2024
Open
hugovk pushed a commit that referenced this issue Feb 29, 2024
@sethmlarson
gh-112844: Add SBOM for external dependencies (#115789)
45d8871
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 29, 2024
@sethmlarson @miss-islington
pythongh-112844: Add SBOM for external dependencies (pythonGH-115789)
1808fa9 
(cherry picked from commit 45d8871)

Co-authored-by: Seth Michael Larson <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Feb 29, 2024
Merged
hugovk pushed a commit that referenced this issue Feb 29, 2024
@miss-islington @sethmlarson
[3.12] gh-112844: Add SBOM for external dependencies (GH-115789) (#11…
211b559 
…6128)

Co-authored-by: Seth Michael Larson <[email protected]>
woodruffw pushed a commit to woodruffw-forks/cpython that referenced this issue Mar 4, 2024
@sethmlarson @woodruffw
pythongh-112844: Add SBOM for external dependencies (python#115789)
0ae4d31
adorilson pushed a commit to adorilson/cpython that referenced this issue Mar 25, 2024
@sethmlarson @adorilson
pythongh-112844: Add SBOM for external dependencies (python#115789)
cb268aa
@bedevere-app bedevere-app bot mentioned this issue Apr 8, 2024
Merged
zooba pushed a commit that referenced this issue Apr 16, 2024
@sethmlarson
gh-112844: Fix xz CPE identifier (GH-117656)
d70ee13
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Apr 16, 2024
@sethmlarson @miss-islington
pythongh-112844: Fix xz CPE identifier (pythonGH-117656)
21c1366 
(cherry picked from commit d70ee13)

Co-authored-by: Seth Michael Larson <[email protected]>
@bedevere-app bedevere-app bot mentioned this issue Apr 16, 2024
Merged
zooba pushed a commit that referenced this issue Apr 16, 2024
@miss-islington @sethmlarson
gh-112844: Fix xz CPE identifier (GH-117656)
d9e2126 
(cherry picked from commit d70ee13)

Co-authored-by: Seth Michael Larson <[email protected]>
diegorusso pushed a commit to diegorusso/cpython that referenced this issue Apr 17, 2024
@sethmlarson @diegorusso
pythongh-112844: Add SBOM for external dependencies (python#115789)
0bf848d
diegorusso pushed a commit to diegorusso/cpython that referenced this issue Apr 17, 2024
@sethmlarson @diegorusso
pythongh-112844: Fix xz CPE identifier (pythonGH-117656)
f539091
sethmlarson added a commit to sethmlarson/cpython that referenced this issue May 2, 2024
@sethmlarson
pythongh-112844: Update CPE references for external dependencies
c4b0175
@bedevere-app bedevere-app bot mentioned this issue May 2, 2024
Merged
@sethmlarson
Copy link
Contributor Author

Going to close this issue as we now have Windows SBOMs containing source dependencies for 3.13.0b1 🥳

hugovk pushed a commit that referenced this issue May 20, 2024
@sethmlarson
gh-112844: Update CPE references for external dependencies (#118521)
1195c16
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 20, 2024
@sethmlarson @miss-islington
pythongh-112844: Update CPE references for external dependencies (pyt…
a61746a 
…honGH-118521)

(cherry picked from commit 1195c16)

Co-authored-by: Seth Michael Larson <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 20, 2024
@sethmlarson @miss-islington
pythongh-112844: Update CPE references for external dependencies (pyt…
2986afb 
…honGH-118521)

(cherry picked from commit 1195c16)

Co-authored-by: Seth Michael Larson <[email protected]>
This was referenced May 20, 2024
Merged
Merged
hugovk pushed a commit that referenced this issue May 20, 2024
@miss-islington @sethmlarson
[3.13] gh-112844: Update CPE references for external dependencies (GH…
d8c562a 
…-118521) (#119237)

Co-authored-by: Seth Michael Larson <[email protected]>
hugovk pushed a commit that referenced this issue May 20, 2024
@miss-islington @sethmlarson
[3.12] gh-112844: Update CPE references for external dependencies (GH…
386e492 
…-118521) (#119238)

Co-authored-by: Seth Michael Larson <[email protected]>
@JelleZijlstra JelleZijlstra mentioned this issue May 28, 2024
Closed
estyxx pushed a commit to estyxx/cpython that referenced this issue Jul 17, 2024
@sethmlarson @estyxx
pythongh-112844: Update CPE references for external dependencies (pyt…
edbc761 
…hon#118521)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-feature A feature request or enhancement type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zooba @ned-deily @sethmlarson