Closed
Bug 1312869
Opened 8 years ago
Closed 7 years ago
keep python dependencies up to date
Categories
(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)
Release Engineering Graveyard
Applications: Balrog (backend)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Unassigned)
References
Details
(Whiteboard: [lang=python])
We've been bad at upgrading our python dependencies. Now that we're Docker-based it should easier, but we still have to remember to do it. We should consider using https://doppins.com/ or a similar service to help us remember.
We probably need to do a manual upgrade of everything before we can use a service. Upgrading sqlalchemy in particular is probably going to require a lot of changes.
Reporter | ||
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [lang=python]
Reporter | ||
Comment 1•7 years ago
|
||
I'm going to try to do this in the next month or two. When I poked at pyup a bit, I discovered that we were running an insecure version of at least one package. I don't want to get into that situation again.
Assignee: nobody → bhearsum
Reporter | ||
Comment 2•7 years ago
|
||
Probably can't drive this any further for awhile.
Assignee: bhearsum → nobody
Reporter | ||
Comment 3•7 years ago
|
||
Pyup is the new standard. I started poking at this awhile back, but stopped because the hosted service required write permissions to the repo. The workaround is to run it yourself from the command line, which I didn't have time to do at the time.
https://github.com/pyupio/pyup/issues/226 or some background.
Comment 5•7 years ago
|
||
+1 for pyup. I have it enable on github.com/mozilla-services/tecken but I'm not sure it's set up the best way since I set it up with my own auth when the project was in the mozilla org.
I don't think we need to delay on setting up pyup by the way. It'll be a cascade of overly dangerous PRs submitted when first enabled but we can just ignore that for a couple of months as we work through the "backlog" of long forgotten dependencies.
In Socorro we ran into the same problem when we realized we were stunningly behind on python dependencies. We left it open as a big tracker bug and slowly but surely started plucking away at it with more and more piecemeal upgrades.
Reporter | ||
Comment 6•7 years ago
|
||
I agree that we don't need to delay - as long as we don't set it up in a way that allows the pyup service write access to the repo.
Comment 7•7 years ago
|
||
You can always set it on a fork of the canonical repo.
Reporter | ||
Comment 8•7 years ago
|
||
We bit the bullet a couple of weeks ago and enabled Pyup.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Product: Release Engineering → Release Engineering Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•