Description
Proposing that we automate a way to check that we are pinning to versions of dependencies that we have diff-reviewed. Another variation of this proposal is to start including build-requirements.txt files for our non-debian package projects and actually pinning to our local wheels.
Background
Right now, the sdk wheel is built (indirectly) using securedrop-debian-packaging via PKG_DIR=../securedrop-client make build-wheels . Only our debian package repos, such as securedrop-client, maintain build-requirements.txt files so that we can use our own local wheels that we know we have diff-reviewed and built ourselves. It would also be more convenient to use this tool to build wheels and check their prod dependencies directly, e.g. PKG_DIR=../securedrop-sdk make wheel or something like that.
`
Description
Proposing that we automate a way to check that we are pinning to versions of dependencies that we have diff-reviewed. Another variation of this proposal is to start including
build-requirements.txtfiles for our non-debian package projects and actually pinning to our local wheels.Background
Right now, the sdk wheel is built (indirectly) using
securedrop-debian-packagingviaPKG_DIR=../securedrop-client make build-wheels. Only our debian package repos, such assecuredrop-client, maintainbuild-requirements.txtfiles so that we can use our own local wheels that we know we have diff-reviewed and built ourselves. It would also be more convenient to use this tool to build wheels and check their prod dependencies directly, e.g.PKG_DIR=../securedrop-sdk make wheelor something like that.`