gh-114250: Fetch metadata for pip and its vendored dependencies from PyPI #114450
Conversation
sethmlarson
force-pushed
the
sbom-fetch-metadata
branch
from
93f257f to
b50fe65
Compare
| @@ -31,14 +38,13 @@ | |||
| "checksums", | |||
| "licenseConcluded", | |||
| "externalRefs", | |||
| "originator", | |||
There was a problem hiding this comment.
This field isn't required by NTIA Minimum Elements, only supplier is required.
| return download_url, checksum_sha256 | ||
|
|
||
| except (OSError, ValueError) as e: | ||
| # Fail if we're running in CI where we should have an internet connection. |
There was a problem hiding this comment.
If the fetch fails in CI we error out, otherwise for local runs we skip.
|
@befeleme How's this, does it fit into your workflow? |
|
I was able to build Python with this version of the script successfully. I have not found the SBOM json file anywhere in the built RPM artifacts. I don't know whether the script actually did anything during the build. From this point of view, with no expectation that we'll actually ship the SBOM file, I'd say it fits into our workflow via not changing anything in it. |
|
Thanks Hugo and Karolina! |
| # We couldn't fetch any metadata from PyPI, | ||
| # so we give up on verifying if we're not in CI. | ||
| if pip_metadata is None: | ||
| return |
There was a problem hiding this comment.
When this happens and the pip wheel is there, the build fails when offline as commented on #114240 (comment)
- the pip vendored dependencies will not be in
PACKAGE_TO_FILES - the pip vendored dependencies will not be in
expected_namesinmain() - the pip vendored dependencies are not removed from
sbom_data - the
actual_names != expected_namescondition is met and the script errors
Closes #114240
Closes #114244
Closes #114250
Works when the pip wheel is missing from the
Lib/ensurepip/_bundleddirectory. Ran the resulting SBOM end-to-end with the proposed release script as well.