Separate security scanned lockfile #159
Conversation
miikkako
force-pushed
the
separate-scanned-lockfile
branch
from
67a3a3c to
98f25e6
Compare
miikkako
force-pushed
the
separate-scanned-lockfile
branch
from
98f25e6 to
a9a5464
Compare
README.rst
Outdated
| Supplied within the python package there is an additional `requirements.txt` file containing locked, security scanned | ||
| dependencies. The file can be used to constrain installed dependencies either directly from the repo or by | ||
| extracting it from the PyPI package. | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| $ pip install -r requirements.txt iqm-client |
There was a problem hiding this comment.
This optional lockfile requirements.txt is merely supplied with the package and how to use it is mentioned in README.
The other option would've been an optional extra dependency like so: pip install iqm-client[lock], like this in the other PR. But it simply does not work with python -m build (invokes setuptools.build_meta via pyproject.toml) if there are checksums (--hash=sha256:...) in the file.
There was a problem hiding this comment.
Example error excerpt:
packaging.requirements.InvalidRequirement: Expected end or semicolon (after version specifier)
accessible-pygments==0.0.5--hash=sha256:40918d3e6a2b619ad424cb91e556bd3bd8865443d9f22f1dcdf79e33c8046872--hash=sha256:88ae3211e68a1d0b011504b2ffc1691feafce124b845bd072ab6f9f66f34d4b7
~~~~~~~^
× Failed to build `.../iqm-client`
├─▶ The build backend returned an error
╰─▶ Call to `setuptools.build_meta.build_sdist` failed (exit status: 1)
hint: This usually indicates a problem with the package or the build environment.
|
requirements.txt should be used in ci, e.g. |
|
This is similar to the qiskit-on-iqm lock file PR which is on hold because people were unhappy with the requirements.txt. Personally, I think the vulnerability checking should be done on the pyproject.toml as we support multiple combinations of python and library versions. Just checking if one of those is safe defeats the point. @shabeebk is looking into this. |
The pyproject.toml way didn't work: see my comment #159 (comment) |
Ok. So the vulnerability scanner only scans latest supported libraries? That sounds like a nice way to overlook vulnerabilities of old library versions. |
I made it so now that there is a script update-requirements.py to keep requirements.txt up to date by upgrading the dependencies listed in pyproject.toml. With that, transitive dependencies aren't automatically updated which can't be controlled anyway when iqm-client is installed as a library. This best-effort security scanned requirements.txt is now used in ci jobs and I've yet to write developer instructions in README |
3.9 is old and nearing its eol. Dependency libraries are also dropping support for it widely.
Co-authored-by: Rakhim Davletkaliyev <rakhim.davletkaliyev@meetiqm.com>
Fix failing build/publish CI from #159
Supply a lockfile with package checksums which is scanned for vulnerabilities by aikido. No functional changes to code.
toxis removed from dependencies and its envs from tox.ini are converted into simple executable files containing commands (test, format, docbuild)uvis used in all ci and its usage is also recommended in README