[TriLUG] Software library Kevin Baconess

Nikolas Everett via TriLUG trilug at trilug.org
Wed Jan 13 10:38:02 EST 2021 

The project I work on stores a hash of the artifact for all of it
dependencies, including transitive ones:
https://github.com/elastic/elasticsearch/blob/master/server/licenses/jna-5.5.0.jar.sha1

We tend to have experts in each of the dependencies to who follow the
upstream repos to keep us fairly up to date. It doesn't always work, but we
try. We're actually out of date on the example I linked.

We try to follow the JVM pretty closely. We try to upgrade our master
branch really early in the JVM release cycle so we can find bugs and stuff.
It's rare, but we've found bugs in it and folks have fixed them before the
release.

At some point you have to cut your losses on transitive dependencies. One
of those points for us is not monitoring the JVM's dependencies. On the
other hand we do publish a few docker containers and for those we are
pretty paranoid about dependencies.

I dunno. I figure more paranoia is always better for these things.
Especially given the SolarWinds hack. We were paranoid before it was cool.
But every time I think about the problem I think "oh, we should check this
other things too...."

On Wed, Jan 13, 2021 at 7:50 AM Keith Woodie via TriLUG <trilug at trilug.org>
wrote:

> In general when I am working in python I make sure and use a
> requirements.txt file.   Most modern IDEs will recognize this and install
> the packages as I have requested in the requirements.txt.   You can also
> use pip to read the requirements.txt file on the command line and install
> them for you also.   I am fairly sure that is what the IDEs are doing under
> the covers.   As far as trying to track what the modules I am using are
> using inside them ... I try not to worry about that.   It really is an
> exponential path that really doesn't matter if you organize what you are
> using in your own project.   Here is a quick link on requirements.txt.
>  Maybe this will help.
>
>
> https://www.idkrtm.com/what-is-the-python-requirements-txt/#:~:text=txt%20This%20requirements
> .,root%20directory%20of%20your%20project
> <https://www.idkrtm.com/what-is-the-python-requirements-txt/#:~:text=txt%20This%20requirements.,root%20directory%20of%20your%20project>
> .
>
> Keith Woodie
>
>
> On Tue, Jan 12, 2021 at 11:53 AM Mauricio Tavares via TriLUG <
> trilug at trilug.org> wrote:
>
> >       Since some of you work developing code, be it as devops or full
> > developers or something else, I was wondering how you keep track of
> > which libraries you are building against. For instance, you may be
> > doing things in python, which may include a module, which in turn
> > relies on other python modules, which then use some C libraries, and
> > eventually you get to Kevin Bacon.
> >
> > That sounds messy.
> >
> > Is there a clever way to keep track of that? Is there a clever *open
> > source* way to do so?
> > --
> > This message was sent to: Keith Woodie <kwoodie at gmail.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> > address.
> > TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web  :
> > https://www.trilug.org/mailman/options/trilug/kwoodie%40gmail.com
> > Welcome to TriLUG: https://trilug.org/welcome
> --
> This message was sent to: Nik Everett <nik9000 at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> https://www.trilug.org/mailman/options/trilug/nik9000%40gmail.com
> Welcome to TriLUG: https://trilug.org/welcome

More information about the TriLUG mailing list