[PATCH 2 of 4 website] base: add a requirements.txt

[Kevin Bullock]

> On May 10, 2017, at 19:16, Gregory Szorc <gregory.szorc at gmail.com> wrote:
> 
>> On Wed, May 10, 2017 at 10:22 AM, Kevin Bullock <kbullock+mercurial at ringworld.org> wrote:
>> # HG changeset patch
>> # User Kevin Bullock <kbullock+mercurial at ringworld.org>
>> # Date 1494433855 18000
>> #      Wed May 10 11:30:55 2017 -0500
>> # Node ID b99251cd874a4a559ceadbd6fd33e6f411b1e776
>> # Parent  3faffcf56082846bd385f6594d9729bceceaf83b
>> base: add a requirements.txt
>> 
>> diff --git a/requirements.txt b/requirements.txt
>> new file mode 100644
>> --- /dev/null
>> +++ b/requirements.txt
>> @@ -0,0 +1,1 @@
>> +Flask>=0.12.1,<0.13
>> 
> Modern versions of pip support pinning hashes in requirements files. It is quite nice as it not only buffers you against MitM attacks, compromised servers, and corruption, but also forces you to have hashes pinned for *all* dependencies. In effect, it requires you to list *all* dependencies and gives you peace of mind that your virtualenv is reproducible. I'd highly recommend implementing that as a follow-up to this series and using that practice in any other production pip requirements files you maintain.

Does anyone in the Python world put that sort of thing in a separate file? It seems perfectly reasonable to do something like:

    $ pip install -r requirements.txt
    $ pip freeze -r requirements.txt > requirements.frozen

and then to install the precise hash-pinned versions somewhere else:

    $ pip install -r requirements.frozen

In fact this is precisely equivalent to what Bundler (for Ruby) and Yarn (for Node.js) do. I'd much rather have one file that declares the dependencies, and a _separate_ one that locks down the precise versions of those and all transitive dependencies.

pacem in terris / мир / शान्ति / ‎‫سَلاَم‬ / 平和
Kevin R. Bullock