From 4b26e9dc1aef6942de354727af75d61c226c5429 Mon Sep 17 00:00:00 2001
From: "Kyle D. McCormick" <kyle@axim.org>
Date: Tue, 16 Apr 2024 16:30:10 -0400
Subject: [PATCH 1/5] build: replace wget->curl, so make upgrade works in tutor

tutor's containers don't have wget installed, and curl -L works
just as well and is installed into basically everything
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 0bb53d1119f4..b459e9424daa 100644
--- a/Makefile
+++ b/Makefile
@@ -130,7 +130,7 @@ endef
 COMMON_CONSTRAINTS_TXT=requirements/common_constraints.txt
 .PHONY: $(COMMON_CONSTRAINTS_TXT)
 $(COMMON_CONSTRAINTS_TXT):
-	wget -O "$(@)" https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt
+	curl -L https://raw.githubusercontent.com/edx/edx-lint/master/edx_lint/files/common_constraints.txt > "$(@)"
 	printf "$(COMMON_CONSTRAINTS_TEMP_COMMENT)" | cat - $(@) > temp && mv temp $(@)
 
 compile-requirements: export CUSTOM_COMPILE_COMMAND=make upgrade

From 39f75f217cc0745a9586114015673b194c3ecde0 Mon Sep 17 00:00:00 2001
From: "Kyle D. McCormick" <kyle@axim.org>
Date: Tue, 16 Apr 2024 16:05:12 -0400
Subject: [PATCH 2/5] refactor: remove requirements/edx-sandbox/shared.[in,txt]

These files were used to assist the Python 3.5 -> 3.8 upgrade,
but they are no longer needed nor referened anywhere. They haven't
been updated for years.
---
 requirements/edx-sandbox/shared.in  | 14 ------------
 requirements/edx-sandbox/shared.txt | 34 -----------------------------
 2 files changed, 48 deletions(-)
 delete mode 100644 requirements/edx-sandbox/shared.in
 delete mode 100644 requirements/edx-sandbox/shared.txt

diff --git a/requirements/edx-sandbox/shared.in b/requirements/edx-sandbox/shared.in
deleted file mode 100644
index 5bcfd9ce712b..000000000000
--- a/requirements/edx-sandbox/shared.in
+++ /dev/null
@@ -1,14 +0,0 @@
-# Core dependencies shared between Python sandboxes for secured execution and edx-platform.
-#
-# DON'T JUST ADD NEW DEPENDENCIES!!!
-#
-# If you open a pull request that adds a new dependency, you should:
-#   * verify that the dependency has a license compatible with AGPLv3
-#   * confirm that it has no system requirements beyond what we already install
-#   * run "make upgrade" to update the detailed requirements files
-
--c ../constraints.txt
-
-cryptography                        # Implementations of assorted cryptography algorithms
-lxml                                # XML parser
-nltk                                # Natural language processing; used by the chem package
diff --git a/requirements/edx-sandbox/shared.txt b/requirements/edx-sandbox/shared.txt
deleted file mode 100644
index 70794cbe57bf..000000000000
--- a/requirements/edx-sandbox/shared.txt
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# This file is autogenerated by pip-compile
-# To update, run:
-#
-#    make upgrade
-#
-cffi==1.14.5
-    # via cryptography
-click==7.1.2
-    # via
-    #   -c requirements/edx-sandbox/../constraints.txt
-    #   nltk
-cryptography==3.2.1
-    # via
-    #   -c requirements/edx-sandbox/../constraints.txt
-    #   -r requirements/edx-sandbox/shared.in
-joblib==0.14.1
-    # via
-    #   -c requirements/edx-sandbox/../constraints.txt
-    #   nltk
-lxml==4.5.0
-    # via
-    #   -c requirements/edx-sandbox/../constraints.txt
-    #   -r requirements/edx-sandbox/shared.in
-nltk==3.6.2
-    # via -r requirements/edx-sandbox/shared.in
-pycparser==2.20
-    # via cffi
-regex==2021.4.4
-    # via nltk
-six==1.16.0
-    # via cryptography
-tqdm==4.61.0
-    # via nltk

From e2734e36cca4cc454dd775fe25a7d824e18524de Mon Sep 17 00:00:00 2001
From: "Kyle D. McCormick" <kyle@axim.org>
Date: Tue, 16 Apr 2024 16:06:59 -0400
Subject: [PATCH 3/5] feat!: expose per-release edx-sandbox dependency pins

See requirements/edx-sandbox/README.rst for more info

BREAKING CHANGE: edx-sandbox/py38.txt will not longer
be updated. Please install from either edx-sandbox/base.txt or
edx-sandbox/releases/*.txt instead.
---
 Makefile                                      |  2 +-
 requirements/edx-sandbox/README.rst           | 59 +++++++++++++++++++
 requirements/edx-sandbox/{py38.in => base.in} |  0
 .../edx-sandbox/{py38.txt => base.txt}        | 24 ++++----
 requirements/edx-sandbox/releases/.gitignore  |  0
 5 files changed, 72 insertions(+), 13 deletions(-)
 create mode 100644 requirements/edx-sandbox/README.rst
 rename requirements/edx-sandbox/{py38.in => base.in} (100%)
 rename requirements/edx-sandbox/{py38.txt => base.txt} (74%)
 create mode 100644 requirements/edx-sandbox/releases/.gitignore

diff --git a/Makefile b/Makefile
index b459e9424daa..6fc019290088 100644
--- a/Makefile
+++ b/Makefile
@@ -110,7 +110,7 @@ shell: ## launch a bash shell in a Docker container with all edx-platform depend
 REQ_FILES = \
 	requirements/edx/coverage \
 	requirements/edx/paver \
-	requirements/edx-sandbox/py38 \
+	requirements/edx-sandbox/base \
 	requirements/edx/base \
 	requirements/edx/doc \
 	requirements/edx/testing \
diff --git a/requirements/edx-sandbox/README.rst b/requirements/edx-sandbox/README.rst
new file mode 100644
index 000000000000..6129aa865b31
--- /dev/null
+++ b/requirements/edx-sandbox/README.rst
@@ -0,0 +1,59 @@
+edx-sandbox: a Python environment for sandboxed execution with CodeJail
+#######################################################################
+
+The requirements in this directory describe a Python environment separate from
+the general edx-platform environment. When correctly configured with
+`CodeJail <https://github.com/openedx/codejail>`_, edx-platform can use
+it to execute untrusted code, particularly instructor-authored Python code
+within ``<script type="loncapa/python">`` ProblemBlock tags.
+
+Files in this directory
+***********************
+
+base.in
+=======
+
+This is the current set of requirements or the edx-sandbox
+environment, and it is used to generate the ``.txt`` files described below.
+These requirements share some constraints with the general edx-platform
+requirements (via ``../constraints.txt``), but otherwise, they are completely
+separate.
+
+We do not recommend installing from this file directly, because
+the packages are not pinned.
+
+base.txt
+========
+
+These are the latest requirement pins for edx-sandbox.
+They are regularly updated with the latest compatible versions of each package.
+
+Install from this file if you wish to always run the latest edx-sandbox
+environment. Take note that there will periodically be breaking changes to
+``base.txt``. For example, we may update the Python version used to generate
+the pins, which may break edx-sandbox environments running older Python
+versions.
+
+releases/(RELEASE_NAME).txt
+===========================
+
+*e.g. releases/redwood.txt, releases/sumac.txt, etc.*
+
+Starting with Quince, every named Open edX release adds one of these files.
+They contain the requirement pins corresponding to ``base.txt`` at the time
+of each release.
+
+Install from one of these files if you want to run a stable edx-sandbox
+environment without breaking changes.
+
+Support windows
+***************
+
+Only ``base.txt`` and the latest ``release/*.txt`` from the latest named
+release are supported by the Open edX community. However, we will leave
+old ``release/*.txt`` files in the repository to assist:
+
+* operators who want to stagger their edx-sandbox upgrade from their general
+  edx-platform upgrade
+* operators who need to temporarily roll back their edx-sandbox environments
+  so that instructors can fix their loncapa Python code.
diff --git a/requirements/edx-sandbox/py38.in b/requirements/edx-sandbox/base.in
similarity index 100%
rename from requirements/edx-sandbox/py38.in
rename to requirements/edx-sandbox/base.in
diff --git a/requirements/edx-sandbox/py38.txt b/requirements/edx-sandbox/base.txt
similarity index 74%
rename from requirements/edx-sandbox/py38.txt
rename to requirements/edx-sandbox/base.txt
index 2523bb1b1d42..c8b5cff8816e 100644
--- a/requirements/edx-sandbox/py38.txt
+++ b/requirements/edx-sandbox/base.txt
@@ -7,19 +7,19 @@
 cffi==1.16.0
     # via cryptography
 chem==1.2.0
-    # via -r requirements/edx-sandbox/py38.in
+    # via -r requirements/edx-sandbox/base.in
 click==8.1.6
     # via
     #   -c requirements/edx-sandbox/../constraints.txt
     #   nltk
 codejail-includes==1.0.0
-    # via -r requirements/edx-sandbox/py38.in
+    # via -r requirements/edx-sandbox/base.in
 contourpy==1.1.1
     # via matplotlib
 cryptography==38.0.4
     # via
     #   -c requirements/edx-sandbox/../constraints.txt
-    #   -r requirements/edx-sandbox/py38.in
+    #   -r requirements/edx-sandbox/base.in
 cycler==0.12.1
     # via matplotlib
 fonttools==4.49.0
@@ -33,21 +33,21 @@ kiwisolver==1.4.5
 lxml==4.9.4
     # via
     #   -c requirements/edx-sandbox/../constraints.txt
-    #   -r requirements/edx-sandbox/py38.in
+    #   -r requirements/edx-sandbox/base.in
     #   openedx-calc
 markupsafe==2.1.5
     # via
     #   chem
     #   openedx-calc
 matplotlib==3.7.5
-    # via -r requirements/edx-sandbox/py38.in
+    # via -r requirements/edx-sandbox/base.in
 mpmath==1.3.0
     # via sympy
 networkx==3.1
-    # via -r requirements/edx-sandbox/py38.in
+    # via -r requirements/edx-sandbox/base.in
 nltk==3.8.1
     # via
-    #   -r requirements/edx-sandbox/py38.in
+    #   -r requirements/edx-sandbox/base.in
     #   chem
 numpy==1.22.4
     # via
@@ -57,7 +57,7 @@ numpy==1.22.4
     #   openedx-calc
     #   scipy
 openedx-calc==3.1.0
-    # via -r requirements/edx-sandbox/py38.in
+    # via -r requirements/edx-sandbox/base.in
 packaging==23.2
     # via matplotlib
 pillow==10.2.0
@@ -66,20 +66,20 @@ pycparser==2.21
     # via cffi
 pyparsing==3.1.1
     # via
-    #   -r requirements/edx-sandbox/py38.in
+    #   -r requirements/edx-sandbox/base.in
     #   chem
     #   matplotlib
     #   openedx-calc
 python-dateutil==2.8.2
     # via matplotlib
 random2==1.0.2
-    # via -r requirements/edx-sandbox/py38.in
+    # via -r requirements/edx-sandbox/base.in
 regex==2023.12.25
     # via nltk
 scipy==1.7.3
     # via
     #   -c requirements/edx-sandbox/../constraints.txt
-    #   -r requirements/edx-sandbox/py38.in
+    #   -r requirements/edx-sandbox/base.in
     #   chem
     #   openedx-calc
 six==1.16.0
@@ -89,7 +89,7 @@ six==1.16.0
     #   python-dateutil
 sympy==1.12
     # via
-    #   -r requirements/edx-sandbox/py38.in
+    #   -r requirements/edx-sandbox/base.in
     #   openedx-calc
 tqdm==4.66.2
     # via nltk
diff --git a/requirements/edx-sandbox/releases/.gitignore b/requirements/edx-sandbox/releases/.gitignore
new file mode 100644
index 000000000000..e69de29bb2d1

From 0db1cc3bf15ec8c4162ca3285977f2f27a0aa408 Mon Sep 17 00:00:00 2001
From: "Kyle D. McCormick" <kyle@axim.org>
Date: Tue, 16 Apr 2024 16:32:54 -0400
Subject: [PATCH 4/5] feat: freeze edx-sandbox requirements for quince

We ran:

    cp requirements/edx-sandbox/base.txt \
       requirements/edx-sandbox/releases/quince.txt
---
 requirements/edx-sandbox/releases/quince.txt | 97 ++++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 requirements/edx-sandbox/releases/quince.txt

diff --git a/requirements/edx-sandbox/releases/quince.txt b/requirements/edx-sandbox/releases/quince.txt
new file mode 100644
index 000000000000..c8b5cff8816e
--- /dev/null
+++ b/requirements/edx-sandbox/releases/quince.txt
@@ -0,0 +1,97 @@
+#
+# This file is autogenerated by pip-compile with Python 3.8
+# by the following command:
+#
+#    make upgrade
+#
+cffi==1.16.0
+    # via cryptography
+chem==1.2.0
+    # via -r requirements/edx-sandbox/base.in
+click==8.1.6
+    # via
+    #   -c requirements/edx-sandbox/../constraints.txt
+    #   nltk
+codejail-includes==1.0.0
+    # via -r requirements/edx-sandbox/base.in
+contourpy==1.1.1
+    # via matplotlib
+cryptography==38.0.4
+    # via
+    #   -c requirements/edx-sandbox/../constraints.txt
+    #   -r requirements/edx-sandbox/base.in
+cycler==0.12.1
+    # via matplotlib
+fonttools==4.49.0
+    # via matplotlib
+importlib-resources==6.1.1
+    # via matplotlib
+joblib==1.3.2
+    # via nltk
+kiwisolver==1.4.5
+    # via matplotlib
+lxml==4.9.4
+    # via
+    #   -c requirements/edx-sandbox/../constraints.txt
+    #   -r requirements/edx-sandbox/base.in
+    #   openedx-calc
+markupsafe==2.1.5
+    # via
+    #   chem
+    #   openedx-calc
+matplotlib==3.7.5
+    # via -r requirements/edx-sandbox/base.in
+mpmath==1.3.0
+    # via sympy
+networkx==3.1
+    # via -r requirements/edx-sandbox/base.in
+nltk==3.8.1
+    # via
+    #   -r requirements/edx-sandbox/base.in
+    #   chem
+numpy==1.22.4
+    # via
+    #   chem
+    #   contourpy
+    #   matplotlib
+    #   openedx-calc
+    #   scipy
+openedx-calc==3.1.0
+    # via -r requirements/edx-sandbox/base.in
+packaging==23.2
+    # via matplotlib
+pillow==10.2.0
+    # via matplotlib
+pycparser==2.21
+    # via cffi
+pyparsing==3.1.1
+    # via
+    #   -r requirements/edx-sandbox/base.in
+    #   chem
+    #   matplotlib
+    #   openedx-calc
+python-dateutil==2.8.2
+    # via matplotlib
+random2==1.0.2
+    # via -r requirements/edx-sandbox/base.in
+regex==2023.12.25
+    # via nltk
+scipy==1.7.3
+    # via
+    #   -c requirements/edx-sandbox/../constraints.txt
+    #   -r requirements/edx-sandbox/base.in
+    #   chem
+    #   openedx-calc
+six==1.16.0
+    # via
+    #   chem
+    #   codejail-includes
+    #   python-dateutil
+sympy==1.12
+    # via
+    #   -r requirements/edx-sandbox/base.in
+    #   openedx-calc
+tqdm==4.66.2
+    # via nltk
+zipp==3.17.0
+    # via importlib-resources

From 85643a17c834df5adaaf94a5ca8cf32dcd3ce3c5 Mon Sep 17 00:00:00 2001
From: "Kyle D. McCormick" <kyle@axim.org>
Date: Tue, 16 Apr 2024 16:27:16 -0400
Subject: [PATCH 5/5] feat: link py38.txt->release/quince.txt for backwards
 compatibility

---
 requirements/edx-sandbox/py38.txt | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 requirements/edx-sandbox/py38.txt

diff --git a/requirements/edx-sandbox/py38.txt b/requirements/edx-sandbox/py38.txt
new file mode 100644
index 000000000000..5164c3975a12
--- /dev/null
+++ b/requirements/edx-sandbox/py38.txt
@@ -0,0 +1,4 @@
+# This file is a temporary compatibility wrapper around quince.txt.
+# It will be removed before Sumac.
+
+-r releases/quince.txt