Sentry as you might know for the most part runs on an old version of Python (2.7). This version has reached end of life which has some consequences in how we develop and pick dependencies.
Additionally all these dependencies run on the server and are thus much riskier as they have direct access to customer data if they turn out to be malicious.
So here are the rules we worked with so far:
- Any new dependency needs to be thoroughly reviewed and approved
- Dependencies must be range pinned semver conforming in the requirements file of sentry
- Dependencies must be hard pinned in the requirements file of getsentry
In order to avoid ever breaking master, you can:
- Open PR in getsentry to update requirements
- Open PR in sentry with the same branch name, put
#sync-getsentryin PR description
- Merge both when both PRs are green
Unfortunately you'll have to revert the SHA changes made by the sync bot before merging, so this process is elaborate and time-consuming, but by far the safest that never breaks master.
Sentry uses BSD/MIT/ISC and Apache 2 licenses. Whatever we used needs to be compatible with this. This means an absolute hard no on GPL/AGPL and a soft no on LGPL unless absolutely necessary. Acceptable uses of LGPL are swappable components like database drivers.
If you have questions about dependencies feel free to reach out to Armin Ronacher or Matt Robenolt with questions.