[PATCH 2 of 4 website] base: add a requirements.txt
Sean Farley
sean at farley.io
Fri May 12 16:20:47 EDT 2017
Gregory Szorc <gregory.szorc at gmail.com> writes:
> On Wed, May 10, 2017 at 7:55 PM, Kevin Bullock <
> kbullock+mercurial at ringworld.org> wrote:
>
>> > On May 10, 2017, at 19:16, Gregory Szorc <gregory.szorc at gmail.com>
>> wrote:
>> >
>> >> On Wed, May 10, 2017 at 10:22 AM, Kevin Bullock <
>> kbullock+mercurial at ringworld.org> wrote:
>> >> # HG changeset patch
>> >> # User Kevin Bullock <kbullock+mercurial at ringworld.org>
>> >> # Date 1494433855 18000
>> >> # Wed May 10 11:30:55 2017 -0500
>> >> # Node ID b99251cd874a4a559ceadbd6fd33e6f411b1e776
>> >> # Parent 3faffcf56082846bd385f6594d9729bceceaf83b
>> >> base: add a requirements.txt
>> >>
>> >> diff --git a/requirements.txt b/requirements.txt
>> >> new file mode 100644
>> >> --- /dev/null
>> >> +++ b/requirements.txt
>> >> @@ -0,0 +1,1 @@
>> >> +Flask>=0.12.1,<0.13
>> >>
>> > Modern versions of pip support pinning hashes in requirements files. It
>> is quite nice as it not only buffers you against MitM attacks, compromised
>> servers, and corruption, but also forces you to have hashes pinned for
>> *all* dependencies. In effect, it requires you to list *all* dependencies
>> and gives you peace of mind that your virtualenv is reproducible. I'd
>> highly recommend implementing that as a follow-up to this series and using
>> that practice in any other production pip requirements files you maintain.
>>
>> Does anyone in the Python world put that sort of thing in a separate file?
>> It seems perfectly reasonable to do something like:
>>
>> $ pip install -r requirements.txt
>> $ pip freeze -r requirements.txt > requirements.frozen
>>
>> and then to install the precise hash-pinned versions somewhere else:
>>
>> $ pip install -r requirements.frozen
>>
>> In fact this is precisely equivalent to what Bundler (for Ruby) and Yarn
>> (for Node.js) do. I'd much rather have one file that declares the
>> dependencies, and a _separate_ one that locks down the precise versions of
>> those and all transitive dependencies.
>>
>
> The Python Packaging Guide seems to suggest that dependencies should be
> declared with install_requires in setup.py and full environments should be
> declared with pip requirements files.
> https://packaging.python.org/requirements/#install-requires-vs-requirements-files
>
> I've heard of people parsing files (possibly requirements files) in
> setup.py in order to populate install_requires to avoid the duplication.
Personally, I would avoid doing this until we really need it. :shrug:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20170512/84955394/attachment.sig>
More information about the Mercurial-devel
mailing list