Additionally, all these dependencies run on the server, thus, making them riskier as they have direct access to customer data if they turn out to be malicious.
So here are the rules we worked with so far:
- Any new dependency needs to be thoroughly reviewed and approved
- Dependencies must be hard pinned in the requirements file of sentry
Note: If you need to add a dependency with a URL you will have to place it with a range in Sentry and place the URL in getsentry's requirements. This is because we release sentry as a package in PyPI and it does not accept URLs.
Sentry uses BSD/MIT/ISC and Apache 2 licenses. Whatever we used needs to be compatible with this. This means an absolute hard no on GPL/AGPL and a soft no on LGPL unless absolutely necessary. Acceptable uses of LGPL are swappable components like database drivers.
If you have questions about dependencies feel free to reach out to owners-python-build with questions.