[PATCH 2 of 4 website] base: add a requirements.txt

Gregory Szorc gregory.szorc at gmail.com
Wed May 10 23:19:09 EDT 2017


On Wed, May 10, 2017 at 7:55 PM, Kevin Bullock <
kbullock+mercurial at ringworld.org> wrote:

> > On May 10, 2017, at 19:16, Gregory Szorc <gregory.szorc at gmail.com>
> wrote:
> >
> >> On Wed, May 10, 2017 at 10:22 AM, Kevin Bullock <
> kbullock+mercurial at ringworld.org> wrote:
> >> # HG changeset patch
> >> # User Kevin Bullock <kbullock+mercurial at ringworld.org>
> >> # Date 1494433855 18000
> >> #      Wed May 10 11:30:55 2017 -0500
> >> # Node ID b99251cd874a4a559ceadbd6fd33e6f411b1e776
> >> # Parent  3faffcf56082846bd385f6594d9729bceceaf83b
> >> base: add a requirements.txt
> >>
> >> diff --git a/requirements.txt b/requirements.txt
> >> new file mode 100644
> >> --- /dev/null
> >> +++ b/requirements.txt
> >> @@ -0,0 +1,1 @@
> >> +Flask>=0.12.1,<0.13
> >>
> > Modern versions of pip support pinning hashes in requirements files. It
> is quite nice as it not only buffers you against MitM attacks, compromised
> servers, and corruption, but also forces you to have hashes pinned for
> *all* dependencies. In effect, it requires you to list *all* dependencies
> and gives you peace of mind that your virtualenv is reproducible. I'd
> highly recommend implementing that as a follow-up to this series and using
> that practice in any other production pip requirements files you maintain.
>
> Does anyone in the Python world put that sort of thing in a separate file?
> It seems perfectly reasonable to do something like:
>
>     $ pip install -r requirements.txt
>     $ pip freeze -r requirements.txt > requirements.frozen
>
> and then to install the precise hash-pinned versions somewhere else:
>
>     $ pip install -r requirements.frozen
>
> In fact this is precisely equivalent to what Bundler (for Ruby) and Yarn
> (for Node.js) do. I'd much rather have one file that declares the
> dependencies, and a _separate_ one that locks down the precise versions of
> those and all transitive dependencies.
>

The Python Packaging Guide seems to suggest that dependencies should be
declared with install_requires in setup.py and full environments should be
declared with pip requirements files.
https://packaging.python.org/requirements/#install-requires-vs-requirements-files

I've heard of people parsing files (possibly requirements files) in
setup.py in order to populate install_requires to avoid the duplication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20170510/c87dbc40/attachment.html>


More information about the Mercurial-devel mailing list