Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove Pipenv in favor of pip-tools, security updates #372

Merged
merged 7 commits into from
May 30, 2019
Merged

remove Pipenv in favor of pip-tools, security updates #372

merged 7 commits into from
May 30, 2019

Conversation

redshiftzero
Copy link
Contributor

@redshiftzero redshiftzero commented May 14, 2019
edited
Loading

Closes #370
Closes #308
Closes #371

Testing

  • Verify hashes are the same from the removed Pipfile.lock compared to requirements.txt except the two dependencies updated here
  • Verify dev setup works for you following README updates
  • Verify static analysis, CVE safety check, test jobs pass in CI

Required diff review

  • urllib3 1.24 -> 1.24.3
  • sqlalchemy 1.2.13 -> 1.3.3

Check prior to merge

@redshiftzero redshiftzero mentioned this pull request May 14, 2019
Closed
heartsucker
heartsucker reviewed May 15, 2019
View reviewed changes
Makefile Outdated Show resolved Hide resolved
@kushaldas
Copy link
Contributor

This will break the package building steps. As our package index (wheel builds) + debian packaging works based on Pipfile.lock and also based on the requirements.txt with private wheel hashes.
We should discuss this more.

@redshiftzero
Copy link
Contributor Author

Yep I know, see this message in the PR description (there's another branch in the debian packaging repo called bye-pipenv which has my wip thus far):

In draft mode because there need to be accompanying PRs over in the securedrop-debian-packaging repo and securedrop-proxy prior to us merging this here

@kushaldas
Copy link
Contributor

Yep I know, see this message in the PR description (there's another branch in the debian packaging repo called bye-pipenv which has my wip thus far):

Ah, I assume it means that pipenv's new feature about updating only one package does not work as it should?

@redshiftzero redshiftzero mentioned this pull request May 15, 2019
Merged
6 tasks
@redshiftzero redshiftzero force-pushed the bye-pipenv branch 2 times, most recently from 43ed1b3 to f02e3df Compare May 18, 2019 04:38
@redshiftzero redshiftzero mentioned this pull request May 18, 2019
Merged
@kushaldas
Copy link
Contributor

Reviewed SQLAlchemy 1.3.3 https://github.com/freedomofpress/securedrop-debian-packaging/wiki/SQLAlchemy-1.3.3

@kushaldas
Copy link
Contributor

Reviewed urllib3 1.24.3 https://github.com/freedomofpress/securedrop-debian-packaging/wiki/urllib3-1.24.3

kushaldas
kushaldas approved these changes May 27, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good. Approved 🦄 🦄 🦄 🦄 🌈

@redshiftzero redshiftzero marked this pull request as ready for review May 28, 2019 17:15
@redshiftzero
Copy link
Contributor Author

(force pushed to resolve conflicts only)

@kushaldas kushaldas merged commit 06bbb55 into master May 30, 2019
@redshiftzero redshiftzero mentioned this pull request Jun 6, 2019
Merged
@redshiftzero redshiftzero deleted the bye-pipenv branch May 26, 2020 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heartsucker heartsucker heartsucker left review comments

@kushaldas kushaldas kushaldas approved these changes

@sssoleileraaa sssoleileraaa Awaiting requested review from sssoleileraaa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@redshiftzero @kushaldas @heartsucker