Closed Bug 1312869 Opened 8 years ago Closed 7 years ago

keep python dependencies up to date

Categories

(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bhearsum, Unassigned)

References

Details

(Whiteboard: [lang=python])

We've been bad at upgrading our python dependencies. Now that we're Docker-based it should easier, but we still have to remember to do it. We should consider using https://doppins.com/ or a similar service to help us remember. We probably need to do a manual upgrade of everything before we can use a service. Upgrading sqlalchemy in particular is probably going to require a lot of changes.
Priority: -- → P3
Whiteboard: [lang=python]
I'm going to try to do this in the next month or two. When I poked at pyup a bit, I discovered that we were running an insecure version of at least one package. I don't want to get into that situation again.
Assignee: nobody → bhearsum
Probably can't drive this any further for awhile.
Assignee: bhearsum → nobody
Pyup is the new standard. I started poking at this awhile back, but stopped because the hosted service required write permissions to the repo. The workaround is to run it yourself from the command line, which I didn't have time to do at the time. https://github.com/pyupio/pyup/issues/226 or some background.
+1 for pyup. I have it enable on github.com/mozilla-services/tecken but I'm not sure it's set up the best way since I set it up with my own auth when the project was in the mozilla org. I don't think we need to delay on setting up pyup by the way. It'll be a cascade of overly dangerous PRs submitted when first enabled but we can just ignore that for a couple of months as we work through the "backlog" of long forgotten dependencies. In Socorro we ran into the same problem when we realized we were stunningly behind on python dependencies. We left it open as a big tracker bug and slowly but surely started plucking away at it with more and more piecemeal upgrades.
I agree that we don't need to delay - as long as we don't set it up in a way that allows the pyup service write access to the repo.
You can always set it on a fork of the canonical repo.
We bit the bullet a couple of weeks ago and enabled Pyup.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Release Engineering → Release Engineering Graveyard
You need to log in before you can comment on or make changes to this bug.