> On May 10, 2017, at 19:16, Gregory Szorc <gregory.sz...@gmail.com> wrote:
>
>> On Wed, May 10, 2017 at 10:22 AM, Kevin Bullock
>> <kbullock+mercur...@ringworld.org> wrote:
>> # HG changeset patch
>> # User Kevin Bullock <kbullock+mercur...@ringworld.org>
>> # Date 1494433855 18000
>> # Wed May 10 11:30:55 2017 -0500
>> # Node ID b99251cd874a4a559ceadbd6fd33e6f411b1e776
>> # Parent 3faffcf56082846bd385f6594d9729bceceaf83b
>> base: add a requirements.txt
>>
>> diff --git a/requirements.txt b/requirements.txt
>> new file mode 100644
>> --- /dev/null
>> +++ b/requirements.txt
>> @@ -0,0 +1,1 @@
>> +Flask>=0.12.1,<0.13
>>
> Modern versions of pip support pinning hashes in requirements files. It is
> quite nice as it not only buffers you against MitM attacks, compromised
> servers, and corruption, but also forces you to have hashes pinned for *all*
> dependencies. In effect, it requires you to list *all* dependencies and gives
> you peace of mind that your virtualenv is reproducible. I'd highly recommend
> implementing that as a follow-up to this series and using that practice in
> any other production pip requirements files you maintain.
Does anyone in the Python world put that sort of thing in a separate file? It
seems perfectly reasonable to do something like:
$ pip install -r requirements.txt
$ pip freeze -r requirements.txt > requirements.frozen
and then to install the precise hash-pinned versions somewhere else:
$ pip install -r requirements.frozen
In fact this is precisely equivalent to what Bundler (for Ruby) and Yarn (for
Node.js) do. I'd much rather have one file that declares the dependencies, and
a _separate_ one that locks down the precise versions of those and all
transitive dependencies.
pacem in terris / мир / शान्ति / سَلاَم / 平和
Kevin R. Bullock
_______________________________________________
Mercurial-devel mailing list
Mercurial-devel@mercurial-scm.org
https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
