add instructions on how to update embedded ots

[anthrotype]

... when a new version is released upstream.

It should be as easy as changing the "version" and "sha256" values in setup.cfg file:

ots-python/setup.cfg

Lines 1 to 6 in dc1c925

	[download]
	; OpenType Sanitizer version that is downloaded from setup.py
	version = 7.1.8
	; expected SHA-256 of the downloaded tarball. E.g. you can calculate it with:
	; $ shasum -a 256 ots-X.X.X.tar.xz
	sha256 = 7e0e3233e7cb07073a48d48fbfccf7a09b1b68fdd60189213c0cf76f59bd2bec

commit that change, create a git tag with the same version number (always keep a leading v, e.g. v7.1.9 in the git tag name), and push the tag. The bots will do the rest.

[felipesanches]

could we have a "meta" check that ensures the locally installed version of the python-ots version is the latest available and, if not, emit a ERROR instructing the user on how to perform the update?

[anthrotype]

No, I don't think you need that. You just need to bump the minimum required version of opentype-sanitizer in fontbakery's setup.py install_requires, and released updated fontbakery whenever opentype-sanitizer is updated.
That will ensure that whenever fontbakery is updated, the latest version of opentype-sanitizer will also be used.

[anthrotype]

basically, you just treat opentype-sanitizer as yet another python dependency.

[felipesanches]

great! So the only remaining concern would be to ensure fontbakery itself is always up-to-date, thus, fonttools/fontbakery#2093

[anthrotype]

yea. this issue is more about reducing the "bus factor" and allow others besides me to keep this repository in sync with the upstream ots repo's release schedule

[felipesanches]

@anthrotype, it is not clear what went wrong here:
https://travis-ci.org/github/googlefonts/ots-python/jobs/771724661

[anthrotype]

@felipesanches Thanks Felipe. It looks like installing twine failed on Linux because pip was too old (it tried to build cryptography package from source and failed, but a more recent pip would download the pre-compiled wheel for cryptography and not fail). I fixed that in faf8c06 and tagged https://github.com/googlefonts/ots-python/releases/tag/v8.1.4.post1

At some point we should also move this from Travis to Github Actions. Maybe @m4rc1e can help with that

[anthrotype]

Ops.. It looks like a pushed that commit and v8.1.4.post1 tag to the wrong branch "master" instead of "main" so that release is actually missing the new 8.1.4 ots 😅
I immediately pushed a new v8.1.4.post2 release from the correct branch, apologies

[anthrotype]

I just added @felipesanches as co-maintainer to the opentype-sanitizer PyPI account, in case you ever need to delete or "yank" bad releases (like I had to do for the .post1 with the wrong embedded OTS)

[felipesanches]

cool! Thanks! :-D