new file mode 100755
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+"""
+vendor - QEMU python vendoring utility
+
+usage: vendor [-h]
+
+QEMU python vendoring utility
+
+options:
+ -h, --help show this help message and exit
+"""
+
+# Copyright (C) 2023 Red Hat, Inc.
+#
+# Authors:
+# John Snow <jsnow@redhat.com>
+#
+# This work is licensed under the terms of the GNU GPL, version 2 or
+# later. See the COPYING file in the top-level directory.
+
+import argparse
+import os
+from pathlib import Path
+import subprocess
+import sys
+import tempfile
+
+
+def main() -> int:
+ """Run the vendoring utility. See module-level docstring."""
+ loud = False
+ if os.environ.get("DEBUG") or os.environ.get("V"):
+ loud = True
+
+ # No options or anything for now, but I guess
+ # you'll figure that out when you run --help.
+ parser = argparse.ArgumentParser(
+ prog="vendor",
+ description="QEMU python vendoring utility",
+ )
+ parser.parse_args()
+
+ packages = {
+ "meson==0.61.5":
+ "58c2ddb5f885da0e929f15d89f38d8a7d97f981f56815bcba008414f8511f59a",
+ }
+
+ vendor_dir = Path(__file__, "..", "..", "wheels").resolve()
+
+ with tempfile.NamedTemporaryFile(mode="w", encoding="utf-8") as file:
+ for dep_spec, checksum in packages.items():
+ file.write(f"{dep_spec} --hash=sha256:{checksum}")
+ file.flush()
+
+ cli_args = [
+ "pip",
+ "download",
+ "--dest",
+ str(vendor_dir),
+ "--require-hashes",
+ "-r",
+ file.name,
+ ]
+ if loud:
+ cli_args.append("-v")
+
+ print(" ".join(cli_args))
+ subprocess.run(cli_args, check=True)
+
+ return 0
+
+
+if __name__ == "__main__":
+ sys.exit(main())
This is a teeny-tiny script that just downloads any packages we want to vendor from PyPI and stores them in qemu.git/python/wheels/. If I'm hit by a meteor, it'll be easy to replicate what I have done in order to udpate the vendored source. We don't really care which python runs it; it exists as a meta-utility with no external dependencies and we won't package or install it. It will be monitored by the linters/type checkers, though; so it's guaranteed safe on python 3.6+. Signed-off-by: John Snow <jsnow@redhat.com> --- python/scripts/vendor.py | 74 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100755 python/scripts/vendor.py