On 11/7/24 01:31, Lichtinger, Bernhard wrote:
Hi,

I am looking for some advice: If we use the virtualenv install method, how does 
one keep track of security updates for all the installed dependencies?

I can think of:
- Upgrade regularly all installed packages inside the virtualenv. This might 
break mailman3 if there are incompatible updates.

You can do in the venv
```
pip install --upgrade --upgrade-strategy eager mailman psycopg2-binary mailman-web mailman-hyperkitty
```
I'm not sure if this will update dependencies if there are no updates to the named package, but in any case, incompatibilities should be avoided because if a newer version of a dependency in incompatible, the dependency should be pinned to a compatible version in the project's requirements.

- Try to track all dependencies and check if there are security updates 
published. This might be impossible to achieve.

It shouldn't be too difficult to script this.
```
Get the output from `pip freeze` in the venv
for each line split it on `==` into PACKAGE and VERSION
    get https://pypi.org/rss/project/PACKAGE/releases.xml
find the first <title>VERSION</title> and compare that VERSION to the VERSION from `pip freeze`
```
This won't tell you if the newer version is a security update, but it will tell you which packages have newer versions.

- Security updates are so rare, we do not need to bother. ;)

For the Mailman dependencies, this is probably true.

--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

_______________________________________________
Mailman-users mailing list -- mailman-users@mailman3.org
To unsubscribe send an email to mailman-users-le...@mailman3.org
https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
Archived at: 
https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/KOQIYO33FKZX2JUUTQKH4JRHA7BQLI7K/

This message sent to arch...@mail-archive.com

Reply via email to