WebDev/Deployments: Difference between revisions

WebDev/Deployments (view source)

Revision as of 22:05, 3 October 2012

34 bytes added , 3 October 2012

no edit summary

Amckay

Confirmed users

1,158

edits

@@ Line 15: / Line 15: @@
 All requirements should be pinned, eg:
-foo==0.3
+   foo==0.3
-Use of >= or not pinning to a version is not recommended. This can been un-vetted versions of packages being installed.
+Use of <code>>=</code> or not pinning to a version is not recommended. This can mean untrusted versions of packages being installed.
-When run use --no-deps. This ensures that packages will not pull in more un-vetted versions of packages. It also means that the requirements files are a definitive source of packages used. This allows security faster audits of who is using what package.
+When run use <code>--no-deps</code>. This ensures that packages will not pull in more untrusted versions of packages. It also means that the requirements files are a definitive source of packages used. This allows security faster audits of who is using what package.
 ==Internal package server==
@@ Line 33: / Line 33: @@
 Contributors and external users will continue to use PyPI as normal. Internal production deployments will use this mirror by using the --no-index and --find-links. For example in Marketplace:
-     ./venv/bin/pip install --exists-action=w --no-deps --no-index -f http://pyrepo1.addons.phx1.mozilla.com/ -r requirements/prod.txt
+     ./venv/bin/pip install --exists-action=w --no-deps --no-index
+    -f http://pyrepo1.addons.phx1.mozilla.com/ -r requirements/prod.txt
 ==Future goals==
 If we can build RPMs prior to deploying, this will allow security to more easily audit the source of files. Currently services and socorro do this.

WebDev/Deployments: Difference between revisions

WebDev/Deployments (view source)

Revision as of 22:05, 3 October 2012

Navigation menu

Search