On 11/7/24 01:31, Lichtinger, Bernhard wrote:
Hi,
I am looking for some advice: If we use the virtualenv install method, how does
one keep track of security updates for all the installed dependencies?
I can think of:
- Upgrade regularly all installed packages inside the virtualenv. This might
break mailman3 if there are incompatible updates.
You can do in the venv
```
pip install --upgrade --upgrade-strategy eager mailman psycopg2-binary
mailman-web mailman-hyperkitty
```
I'm not sure if this will update dependencies if there are no updates to
the named package, but in any case, incompatibilities should be avoided
because if a newer version of a dependency in incompatible, the
dependency should be pinned to a compatible version in the project's
requirements.
- Try to track all dependencies and check if there are security updates
published. This might be impossible to achieve.
It shouldn't be too difficult to script this.
```
Get the output from `pip freeze` in the venv
for each line split it on `==` into PACKAGE and VERSION
get https://pypi.org/rss/project/PACKAGE/releases.xml
find the first <title>VERSION</title> and compare that VERSION to
the VERSION from `pip freeze`
```
This won't tell you if the newer version is a security update, but it
will tell you which packages have newer versions.
- Security updates are so rare, we do not need to bother. ;)
For the Mailman dependencies, this is probably true.
--
Mark Sapiro <m...@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at:
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/KOQIYO33FKZX2JUUTQKH4JRHA7BQLI7K/
This message sent to arch...@mail-archive.com
