Other: dependency management is inconsistent #507
Comments
Maybe we should use named categories here so that we don't install all the dev dependencies when we only need the pinned runtime dependencies. |
lukpueh
added a commit
to lukpueh/repository-service-tuf-cli
that referenced
this issue
Feb 8, 2024
Install non-released tuf revision to get improved VerificaitonResult. Revert when released! NOTE: * Updated pyproject.toml manually (for pip install -e .) * Updated Pipfile via: ``` pipenv install git+https://github.com/theupdateframework/python-tuf@be55b87 ``` This also updated Pipfile.lock including all sorts of unrelated updates. * Updated requirements* files with `make requirements` See related repository-service-tuf#507 Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
added a commit
to lukpueh/repository-service-tuf-cli
that referenced
this issue
Feb 27, 2024
Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
added a commit
to lukpueh/repository-service-tuf-cli
that referenced
this issue
Mar 4, 2024
Install python-tuf from non-released revision to get improved VerificationResult. Revert when released!! NOTE: * Updated pyproject.toml manually (for pip install -e .) * Updated Pipfile via: ``` pipenv install git+https://github.com/theupdateframework/python-tuf@be55b87 ``` This also updated Pipfile.lock including all sorts of unrelated updates. * Updated requirements* files with `make requirements` See related repository-service-tuf#507 Signed-off-by: Lukas Puehringer <[email protected]>
lukpueh
added a commit
to lukpueh/repository-service-tuf-cli
that referenced
this issue
Mar 11, 2024
Install python-tuf from non-released revision to get improved VerificationResult. Revert when released!! NOTE: * Updated pyproject.toml manually (for pip install -e .) * Updated Pipfile via: ``` pipenv install git+https://github.com/theupdateframework/python-tuf@be55b87 ``` This also updated Pipfile.lock including all sorts of unrelated updates. * Updated requirements* files with `make requirements` See related repository-service-tuf#507 Signed-off-by: Lukas Puehringer <[email protected]>
MVrachev
added a commit
that referenced
this issue
Mar 26, 2024
* Add non-released tuf dependency (WIP) Install python-tuf from non-released revision to get improved VerificationResult. Revert when released!! NOTE: * Updated pyproject.toml manually (for pip install -e .) * Updated Pipfile via: ``` pipenv install git+https://github.com/theupdateframework/python-tuf@be55b87 ``` This also updated Pipfile.lock including all sorts of unrelated updates. * Updated requirements* files with `make requirements` See related #507 Signed-off-by: Lukas Puehringer <[email protected]> * Add alternative admin cli Added commands: - `rstuf admin2 ceremony` - `rstuf admin2 update` - `rstuf admin2 sign` Previous work, related discussion, and detailed reasons for the re-write can be found in #477 and #490. These PRs are superseded by this PR. Currently, the cli does not interact with the RSTUF API, but reads input data from files passed as cli arguments (update, sign) and optionally writes output data to file using the `--payload-out` option (ceremony, update, sign). Preliminary API integration can be found in #477. I suggest to re-implement this in a separate PR, as well as any presentation improvements discussed in #477. Signed-off-by: Lukas Puehringer <[email protected]> * Add test files for alternative cli * tests/files/pem: 3 test key pairs in standard pem/pkcs8/subjectPublicKeyInfo format copied from secure-systems-lab/securesystemslib@7952c3f (password is 'hunter2') * tests/files/root: exemplary root metadata, crafted manually * tests/files/payload: exemplary payload data, crafted using the new cli Signed-off-by: Lukas Puehringer <[email protected]> * Add tests for alternative admin cli Signed-off-by: Lukas Puehringer <[email protected]> * Minor refactor of _filter_root_verification_results Try simplify the filter logic. Signed-off-by: Lukas Puehringer <[email protected]> * admin2: rename -o, --payload-out to -s, --save Signed-off-by: Lukas Puehringer <[email protected]> * admin2: give user feedback about saving file Signed-off-by: Lukas Puehringer <[email protected]> * admin2 ceremony: remove targets base url Signed-off-by: Lukas Puehringer <[email protected]> * admin2 update: change default in threshold dialog Signed-off-by: Lukas Puehringer <[email protected]> * admin2: add key name prompt to online key dialog Signed-off-by: Lukas Puehringer <[email protected]> * admin2: warn if `-s` not provided Signed-off-by: Lukas Puehringer <[email protected]> * admin2 sign: raise if prev root is missing Signed-off-by: Lukas Puehringer <[email protected]> * admin2 sign: raise if already signed and add test calling the sign cli on fully signed metadata is a usage mistake. Raising instead of just exiting seems semantically correct (and makes testing easier) Signed-off-by: Lukas Puehringer <[email protected]> * admin2 ceremony: update api format Switch to new api format for ceremony cli payload result. Includes a minor dialog restructure and related helper refactor: The sections "Metadata expiration" and "Artifacts" in the dialog are replaced with an "Online role settings" section, which prompts for all online role expiries and bins numbers. The root expiry prompt is moved to a separate "Root expiry" section, even though it is still included with the online role settings payload. Signed-off-by: Lukas Puehringer <[email protected]> --------- Signed-off-by: Lukas Puehringer <[email protected]> Co-authored-by: Martin Vrachev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What do you want to share with us?
The rstuf cli dependency management is a mix of
Currently these are synced using
make requirements, which developers must run explicitly. Additionally, given that cli is a distributable package, runtime dependencies must also be managed in pyproject.toml.All of this makes dependency management harder then necessary and prone to get out of sync (which is already the case).
I suggest the following measures to consolidate dependency management in the cli.
pyproject.toml. These are not pinned, but only constrained to exclude versions that are known to not work.Pipfileand add an editable install entry in the[dev-packages]section (a[packages]section is not needed).pipenvtoPipfile.lock, if dependencies change above (pipenv lock)pipenv install --dev)pipenv install --dev --deploy && pipenv run pytest ...)References
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: