Python Dependencies

Unlike our frontend JavaScript story, where we're generally very happy pulling in dependencies, we're much more conservative on the backend. Any dependency we pull in, might require us to eventually (temporarily) fork and vendor it if the upstream project no longer supports our version of Python.

Additionally, all these dependencies run on the server, thus, making them riskier as they have direct access to customer data if they turn out to be malicious.

So here are the rules we worked with so far:

Rules on Dependencies

1. Any new dependency needs to be thoroughly reviewed and approved
2. Dependencies must be hard pinned in the requirements file of sentry

Note: If you need to add a dependency with a URL you will have to place it with a range in Sentry and place the URL in getsentry's requirements. This is because we release sentry as a package in PyPI and it does not accept URLs.

Rules on Licenses

Sentry uses BSD/MIT/ISC and Apache 2 licenses. Whatever we used needs to be compatible with this. This means an absolute hard no on GPL/AGPL and a soft no on LGPL unless absolutely necessary. Acceptable uses of LGPL are swappable components like database drivers.

Unclear?

If you have questions about dependencies feel free to reach out to owners-python-build with questions.