-
Notifications
You must be signed in to change notification settings - Fork 28
UpgradeToPip8
pip 8 is out—and with it, my new peep-equivalent hash verification support. This brings myriad improvements, including support for caching, detection of unhashed dependencies (no more --no-deps), and better handling of errors and corner cases. This also marks the deprecation of peep, so it's time to start planning your transition.
If you use pretend servers and just blow them away with every deploy, your job is easy. Otherwise, here's a way to do it without race conditions:
- Upgrade your projects to the newly released peep 3.0 (which adds compatibility with pip 8, thanks to Ed Morley).
- Upgrade your servers to pip 8. (No privs on your server? Try pipstrap!)
- Atomically, switch the format of your requirements files using
peep port(in peep 2.5 and later), and start calling pip instead of peep from your deploy script. - Delete peep from your project.
That's all you really need to know.
Here are some before-and-after examples to save you digging through readmes:
| peep | pip 8 |
|---|---|
peep install -r requirements.txt |
pip install --require-hashes -r requirements.txt ( |
peep hash SomePackage-1.2.3.tar.gz |
pip hash SomePackage-1.2.3.tar.gz |
# sha256: L9XU_-gfdi3So-WEctaQoNu6N2Z3ZQYAOu4-16qor-8 # sha256: qF4YU3XbdcEJ-Z7N49VUFfA15waKgiUs9PFsZnrDj0k Flask==0.9 Flask==0.9 \
--hash=sha256:2fd5d4ffe81f762dd2a3e58472d690a0dbba3766776506003aee3ed7aaa8afef \
--hash=sha256:a85e185375db75c109f99ecde3d55415f035e7068a82252cf4f16c667ac38f49
|
I'm really looking forward to not having peep break every time a new pip comes out, and being able to hash-verify Heroku deploys will be pretty sweet, too. Happy hashing!
Erik
P.S. Many thanks to jezdez and dstufft for their generous reviews and support!