mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
730e4d8b97
Follows up on #978, which had the following problems: - too many requirements files (cc @trishankatdatadog ;) - used extra tooling around pip-compile that - didn't take into account requirement markers (see comments in requirements.txt in this commit), and - confused Dependabot, which expects the hashed requirements file in a certain format, as pip-compile would generate it without custom tooling (see #979). This commit restructures the requirements files as follows: - Merges requirements-tox.txt and requirements-test.txt. The separation was semantically correct but operationally irrelevant. - Removes the hashed requirements file, which doesn't add much security, especially with PEP 458 on the way (see python/peps#1306), but extra maintenance (see notes about requirements.txt in #978 and about Dependabot above) - Manually adds environment markers to requirements-pinned.txt (see comments in requirements.txt in this commit). Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
47 lines
1.7 KiB
Text
47 lines
1.7 KiB
Text
# TUF runtime requirements plus securesystemslib with extra dependencies
|
|
#
|
|
# This file together with 'pip-compile' is used to generate a pinned
|
|
# requirements file with all immediate and transitive dependencies.
|
|
#
|
|
# 'requirements-pinned.txt' is updated on GitHub with Dependabot, which
|
|
# triggers CI/CD builds to automatically test against updated dependencies.
|
|
#
|
|
#
|
|
# NOTE: 'pip-compile' only adds dependencies relevant for the Python version,
|
|
# in which it is executed. Moreover, it does not add environment markers of
|
|
# transitive dependencies.
|
|
# The official recommendation for cross-environment usage of pip-compile tends
|
|
# towards separate requirements files for each environment (see
|
|
# jazzband/pip-tools#651), this seem like an overkill for tuf, where we only
|
|
# have a few conditional dependencies, i.e. dependencies that are required on
|
|
# Python < 3 only.
|
|
#
|
|
#
|
|
# Below instructions can be used to re-generate 'requirements-pinned.txt', e.g.
|
|
# if:
|
|
# - requirements are added or removed from this file
|
|
# - Python version support is changed
|
|
# - CI/CD build breaks due to updates (e.g. transitive dependency conflicts)
|
|
#
|
|
# 1. Use this script to create a pinned requirements file for each Python
|
|
# version
|
|
# ```
|
|
# for v in 2.7 3.5 3.6 3.7 3.8; do
|
|
# mkvirtualenv tuf-env-${v} -p python${v};
|
|
# pip install pip-tools;
|
|
# pip-compile --no-header -o requirements-${v}.txt requirements.txt;
|
|
# deactivate;
|
|
# rmvirtualenv tuf-env-${v};
|
|
# done;
|
|
#
|
|
# ```
|
|
# 2. Use this command to merge per-version files
|
|
# `sort -o requirements-pinned.txt -u requirements-?.?.txt`
|
|
# 2. Manually add environment markers to requirements-pinned.txt
|
|
# 3. Use this command to remove per-version files
|
|
# `rm requirements-?.?.txt`
|
|
#
|
|
securesystemslib[colors, crypto, pynacl]
|
|
requests
|
|
six
|
|
iso8601
|