Define policy for adding or updating Python dependencies

[tiran]

We should create a policy and guiding document how to deal with new dependencies or updates of existing dependencies.

Some thoughts:

• new dependencies should be avoided unless they bring merit. Any new dependencies adds a permanent overhead.
• new dependencies must be reviewed for license, compliance, security, and overall community best practices
• new dependencies and updates must be coordinated with stakeholders for all hardware targets (Nvidia CUDA, AMD ROCm, Intel Gaudi). Gaudi is a bit problematic, because the stack needs downstream builds and forks from Intel.

[leseb]

I like the idea. Additionally, is it worth running an inspection of the current deps as well and see if some could be removed too?

[bjhargrave]

Most of the repos other than instructlab have dependabot keeping dependencies up-to-date. Eventually we need to add dependabot to the instructlab certainly for the workflows but also for the python dependencies.

[russellb]

Most of the repos other than instructlab have dependabot keeping dependencies up-to-date. Eventually we need to add dependabot to the instructlab certainly for the workflows but also for the python dependencies.

Yes! I've been meaning to look at this, but haven't gotten around to it. It would be great if you were interested in working on this at some point!

[bjhargrave]

It would be great if you were interested in working on this at some point!

It is on my dance card 🕺

[nathan-weinberg]

We also need to ensure any dependencies that are added are compliant from a licensing POV - @mrutkows is our resident expert on that AFAIK 😄

[github-actions]

This issue has been automatically marked as stale because it has not had activity within 90 days. It will be automatically closed if no further activity occurs within 30 days.