Sentry as you might know for the most part runs on an old version of Python (2.7). This version has reached end of life which has some consequences in how we develop and pick dependencies.
Additionally all these dependencies run on the server and are thus much riskier as they have direct access to customer data if they turn out to be malicious.
So here are the rules we worked with so far:
- Any new dependency needs to be thoroughly reviewed and whitelisted
- Dependencies must be range pinned semver conforming in the requirements file of sentry
- Dependencies must be hard pinned in getsentry
There is currently no system in place to verify pins so be super careful when working with dependencies or reviewing dependency changes of others.
Sentry uses BSD/MIT/ISC and Apache 2 licenses. Whatever we used needs to be compatible with this. This means an absolute hard no on GPL/AGPL and a soft no on LGPL unless absolutely necessary. Acceptable uses of LGPL are swappable components like database drivers.
If you have questions about dependencies feel free to reach out to Armin Ronacher or Matt Robenolt with questions.