Add SHA dependency checks #454
Comments
|
These can be potentially bothersome but should be worth it. You usually include a hash of the .tar.gz and a platform's .whl, but can include as many as needed The hashin utility can produce these for us. But piptools' pip-compile may get support for what hashin does soon: w/ pip-compile you can keep the most bare minimum requirements in a '.in' file (a lot like what you'd have in setuptools requires). It then version pins everything from it including all the sub dependencies. It mentions in the final requirements file where those sub dependencies are from. e.g.: Then it has a --upgrade feature, which is similar to what pyup provides |
|
FYI @oberstet pip-tools actually has support for handling these now (that jazzband/pip-tools#303 should be closed out). When be switch to it we'll be gaining the .in file format/upgrading and now the hash support too |
kill the unneeded future dep and move pycrypto into tests only Issue: #454
|
We can't enable hash checks while still using editable url specs (txstatsd and temporarily crytography). I've pinged txstatsd's lauchpad for a new release.. but will probably have to get in touch with them via some other means |
|
Once we go to Rust for connection node, we can drop txstatsd and should be able to do this. |
bbangert
modified the milestones:
PUSHSVC-0: quality,
2018Q2-1.1 Plan developed/executed for future maintenance work
|
endpoint still needs it, no? |
|
Aw right, we're still on twisted for the endpoint, doh. |
|
Won't be addressing this as we're moving entirely to Rust soonish. |
pip now lets us add SHA hashes to dependencies, we should use these:
The text was updated successfully, but these errors were encountered: