SBOM generator should not look for a pip wheel in a fixed location #114244
Comments
|
cc @sethmlarson |
|
Thanks for opening this @befeleme! I created #114250 to address the licensing expression issue for pip wrt bundled dependencies, please take a look at my proposal there. I wanted to ask how you were intending to use the SBOM being generated (if at all!) or if the issues you're seeing here are more incidental due to being included in |
|
Technically speaking, if we (Fedora) were to ship the SBOM to our users (which I belive we are not doing unless it's installed by default), we would want pip to be skipped, because it's not part of our Python package, but it's only required. The version available at Python build time might not be the same version that's going to be used, as we update the pip wheel independently. |
|
If regen-sbom was to be a part of regen-all, we'd probably appreciate most a possibility to configure which packages should/not be taken into account when generating the file. |
The script and make target, added in Python 3.13.0a3, assumes a fixed location of pip wheel and other bundled libraries, resulting in an error and failed build when not found. Reported upstream: python#114240 and python#114244
The script and make target, added in Python 3.13.0a3, assumes a fixed location of pip wheel and other bundled libraries, resulting in an error and failed build when not found. Reported upstream: python#114240 and python#114244
The script and make target, added in Python 3.12.2, assumes a fixed location of pip wheel and other bundled libraries, resulting in an error and failed build when not found. Reported upstream: python#114240 and python#114244 Co-Authored-By: Tomáš Hrnčiar <[email protected]>
The script and make target, added in Python 3.12.2, assumes a fixed location of pip wheel and other bundled libraries, resulting in an error and failed build when not found. Reported upstream: python#114240 and python#114244 Co-Authored-By: Tomáš Hrnčiar <[email protected]>
Bug report
Bug description:
In Fedora Linux, when building Python RPM, we remove the bundled pip wheel. We use an RPM build available in the system instead.
In the past, a new option was added to Python to define a custom location for that wheel:
--with-wheel-pkg-dir(#87022).generate_sbom.pydoesn't count with this possibility, it looks for pip in a hardcoded location and errors if not found.Even if there was an option to skip the search for pip wheel, would it mean that sbom.spdx.json is shipped in the built Python with incorrect data?
Also, please note that pip bundles a lot of other libraries and the actual project license, if was to reflect that reality, would be tad more complicated, see: Fedora's pip license tag. In https://github.com/python/cpython/blob/main/Misc/sbom.spdx.json#L1719 there's declared
MITonly.(Additionally, we also use the system
expatand_decimal/libmpdeclibraries instead of the Python copies, which are hardcoded the same way in the script, so there surely will be more issues with the generated metadata if we were trying to create SBOM as downstream repackagers)CPython versions tested on:
3.13
Operating systems tested on:
Linux
The text was updated successfully, but these errors were encountered: