[PATCH 2 of 4 website] base: add a requirements.txt

Gregory Szorc gregory.szorc at gmail.com
Wed May 10 20:16:34 EDT 2017


On Wed, May 10, 2017 at 10:22 AM, Kevin Bullock <
kbullock+mercurial at ringworld.org> wrote:

> # HG changeset patch
> # User Kevin Bullock <kbullock+mercurial at ringworld.org>
> # Date 1494433855 18000
> #      Wed May 10 11:30:55 2017 -0500
> # Node ID b99251cd874a4a559ceadbd6fd33e6f411b1e776
> # Parent  3faffcf56082846bd385f6594d9729bceceaf83b
> base: add a requirements.txt
>
> diff --git a/requirements.txt b/requirements.txt
> new file mode 100644
> --- /dev/null
> +++ b/requirements.txt
> @@ -0,0 +1,1 @@
> +Flask>=0.12.1,<0.13
>

Modern versions of pip support pinning hashes in requirements files. It is
quite nice as it not only buffers you against MitM attacks, compromised
servers, and corruption, but also forces you to have hashes pinned for
*all* dependencies. In effect, it requires you to list *all* dependencies
and gives you peace of mind that your virtualenv is reproducible. I'd
highly recommend implementing that as a follow-up to this series and using
that practice in any other production pip requirements files you maintain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20170510/8b05b518/attachment.html>


More information about the Mercurial-devel mailing list