Pip install -require-hashes -r requirements.txt For example your deployment script might look like this now: It makes sure you get a pip version installed that supports pip install with hashes:Īdd pipstrap.py to your git/hg repo and use it to make sure you have a good pip. If you can trust it but unsure it's a good version of pip version 8 and up, that's where pipstrap.py comes in. Initially you have to trust the pip/ virtualenv that is installed globally on the system. So your server needs pip to install those dependencies safely and securely. Thank Erik Rose! Now you can be absolutely certain that dependencies you downloaded and installed locally is absolutely identical to the dependencies you download and install in your production server. ![]() ![]() Pip 8 is out and with it, the ability to only install dependencies you've vetted.
0 Comments
Leave a Reply. |