Lint: Add Check for pip install
#413
Labels
enhancement
New feature or request
needs-triage
applied to all new customer/user issues. Removed after triage occurs.
pip install
should not be used inmelange
YAML files when building Python packages for Wolfi. Why? Because APKs for Python in Wolfi are meant to contain one and only one Python package. Usingpip install
in a Python package adds more than one Python package to an APK. Why only one Python package per APK package? This, to my knowledge, is to make a "better" SBOM (more complete) and to make vulnerability remediation easier.Unfortunately:
There are at least 39 instances currently of
pip install
across Wolfi packages. After these are fixed, I propose adding a lint to detect usage ofpip install
in amelange
YAML file. It would be fine to add it earlier too, as long as there is a way to disable that particular check during CI (until these instances ofpip install
are removed).cc @luhring @kaniini
h/t @luhring -- This is really just reporting his finding!
ref
wolfi-dev/os#6244
The text was updated successfully, but these errors were encountered: