discuss: implement dependency cooldowns in more areas#2841
discuss: implement dependency cooldowns in more areas#2841agriyakhetarpal wants to merge 20 commits intopypa:mainfrom
Conversation
agriyakhetarpal
force-pushed
the
more-dependency-cooldowns
branch
from
62dcefe to
71e27aa
Compare
|
As I've said, I don't like this. We are already slow in getting updates to users. CPython 3.15.0b1 comes out today; I don't want to wait a week before we have a chance to add it to our main branch! The other dependencies might need to be making releases to support 3.15.0b1 too, we don't want to force old versions that are less likely to be compatible. To support stable free-threading ABI, for example, you need pip and build versions that are around a week old today. Our A day or so might make sense because we have to wait on manylinux, so we generally updates a little sooner than manylinux, so a small delay would help us align better, possibly. Also, CPython released 3.14.5rc1 with about a week window, so anyone with a week cooldown will miss CPython's RC entirely, invalidating the main reason to do an RC. If users want a cooldown, they should apply it to cibulidwheel, not us on our pinned dependencies. If they do apply it, and we do too, it compounds, as well. I believe a much higher reward change (that doesn't have drawbacks, like interfering with shipping new Python releases) would be to add SHA checks for our Python downloads. That would protect against a much |
|
Thanks for your feedback about this @henryiii, I didn't know many of these aspects (and may have missed where you last spoke about it)! I agree and will rethink all Python and PBS-related upgrades, they're not helpful especially if we miss deadlines. I would want us to cascade safer dependencies to our users, but I also want to note that my focus with such a PR is to protect cibuildwheel itself. A day or two might make sense, but the fact that our dependency updates run once a week anyway makes things a bit messy. I'll change to it for Python/PBS and try... Would you suggest that the 7-day cooldowns added to virtualenv and the build constraints, being dependencies of Python at a fundamentally shallower level, are still useful and could be kept? Yes, SHA-pinning is also within my plans – I am happy to start looking at that, and Sigstore attestation verification too. |
agriyakhetarpal
changed the title
Co-Authored-By: Grzegorz Bokota <3826210+Czaki@users.noreply.github.com>
agriyakhetarpal
force-pushed
the
more-dependency-cooldowns
branch
from
868f841 to
da1b6ed
Compare
I was wondering (read: shower-thinking :P) about how dependency cooldowns could have merit in other moving parts of our update machinery besides Dependabot, where we have one set for 7 days. This PR adds dependency cooldowns to:
uv's--exclude-newerupdate_pythons.py). There are some differences:AI disclosure: I used Claude Code in Plan mode on Haiku 4.5 to navigate the Maven and NuGet changes, ping the package repositories, and explore their webpage structure. It gave me decent working code that I refined further.
There is a
CIBW_IGNORE_COOLDOWNenvironment variable to ignore this. Our update-dependencies workflow will set this to false, but I've also added an input for manual triggers. This way, ignoring the cooldown will remain a conscious choice by us.I left the Docker update script as is. I can't understand what we'll do there since it only resolves the current digest of the latest tag. There's no "release date" concept there.
TODO, but doesn't necessarily need to block this PR:
This PR is ready for review, nonetheless!