Open Bug 1618282 (updatebot) Opened 4 years ago Updated 17 days ago

[meta] Automatic Updating of Dependencies

Categories

(Developer Infrastructure :: Mach Vendor & Updatebot, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: tjr, Assigned: tjr)

References

(Depends on 9 open bugs)

Details

(Keywords: meta)

This bug tracks the development of a system to detect when updates are available to dependencies, file a bug, apply them to m-c, submit it to try, attach a patch, follow up on the try results and either flag the patch for review or test failures or similar for investigation.

Depends on: 1618285
Depends on: 1619415
Depends on: 1509971
Depends on: 1625055
Depends on: 1625056
Depends on: 1637845
Depends on: 1642704
Depends on: 1646759
Depends on: 1646760
Depends on: 1648255
Depends on: 1657952
Depends on: 1662568
Depends on: 1674897
Depends on: 1674903
Depends on: 1674914
Depends on: 1676934
Depends on: 1677577
Depends on: 1674182
Depends on: 1682815
Depends on: 1689449
Depends on: 1689454
Depends on: 1691975
Depends on: 1692573
Depends on: 1693100
Depends on: 1697839
Depends on: 1699740
Depends on: 1709401
Depends on: 1711982
Depends on: 1712815
Depends on: 1712817
Depends on: 1712953
Depends on: 1678777
Depends on: 1716479

Chatted with Tom over Zoom:

  • UpdateBot will (at least for Python) manage a list of dependencies that it cares about being up-to-date - it isn't going to publish updates for all out-of-date packages.
  • It would be a good idea for Mach developers and the security team to meet in the middle: Mach should expose an interface to update a specific package wherever its used, regenerate lockfiles, update vendored packages, and so on, and UpdateBot can just interface with this and then run the tasks that it wants to.
  • I've attached a new blocking bug: Mach is currently undergoing some tweaks to allow separate distinct sets of dependencies for different Mach commands. This work affects Python dependency management, so we'll defer UpdateBot's integration with Python until after this Mach work is complete.
Depends on: 1712131
Depends on: 1721247
Depends on: 1729481
Depends on: 1730959
Depends on: 1731357
Depends on: 1731358
Depends on: 1731594
Depends on: 1732104
Depends on: 1738754
Depends on: 1740062

Found in triaging, 302 to the appropriate component. Please let me know if there's anything I may have missed.

Assignee: nobody → tom
Component: General → Mach Vendor & Updatebot
Product: Release Engineering → Developer Infrastructure
Depends on: 1763991
Depends on: 1764600
Depends on: 1764659
Depends on: 1770917
Severity: normal → S3
Depends on: 1855349
Depends on: 1857843
Depends on: 1859085
You need to log in before you can comment on or make changes to this bug.