From e7fa89853a5e073f013588962986b887dbd7871b Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Wed, 21 Aug 2024 15:28:47 -0400
Subject: [PATCH] Explicitly document we don't review PyPA packages

Per team proposal and decision.

Fixes <https://github.com/freedomofpress/securedrop/issues/7221>.
---
 docs/dependency_updates.rst | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/dependency_updates.rst b/docs/dependency_updates.rst
index cd6e2e3a..3b637757 100644
--- a/docs/dependency_updates.rst
+++ b/docs/dependency_updates.rst
@@ -45,11 +45,12 @@ When updating a dependency, one should:
 
 1. **Review the changelog:** were any high-risk areas of the code modified? Were
    bugs with security implications fixed?
-2. **Review the diff:** (If the dependency a major tool in the Python ecosystem,
-   such as ``pip``, ``setuptools``, or ``wheel``, you can skip this step.) Perform a
-   timeboxed review of the diff. Are there any concerning areas (primarily in
-   terms of security)?  One can use the diffoscope tool from https://try.diffoscope.org/
-   locally to view the diffs in the source code.
+2. **Review the diff:** Perform a timeboxed review of the diff. Are there any
+   concerning areas (primarily in terms of security)?  One can use the diffoscope
+   tool from https://try.diffoscope.org/ locally to view the diffs in the source code.
+
+   * Note: we trust packages managed by the `Python Packaging Authority <https://www.pypa.io/en/latest/>`_
+     (PyPA) and don't diff review them.
 3. **Explain version specifiers:** Use comments in ``.in`` or ``pyproject.toml``
    files to explain why you are specifying certain versions or ranges.