Merge pull request #1457 from rhelmer/bug894493-use-peep-for-deps

[DO NOT MERGE] bug 894493 - use peep for dependencies

Makefile

@@ -43,7 +43,8 @@ bootstrap:
 	which lessc || time npm install less
 	[ -d $(VIRTUALENV) ] || virtualenv -p python2.6 $(VIRTUALENV)
 	# install dev + prod dependencies
-	time $(VIRTUALENV)/bin/pip install --use-mirrors --download-cache=./pip-cache -r requirements/dev.txt
+	time $(VIRTUALENV)/bin/pip install tools/peep-0.4.tar.gz
+	time $(VIRTUALENV)/bin/peep install --download-cache=./pip-cache -r requirements/dev.txt
 
 install: bootstrap reinstall
 

docs/dependencies.rst

@@ -42,6 +42,13 @@ Pinning exact versions is important because it makes deployment
 predictable meaning that what you test and develop against locally is
 exactly reflected in production. 
 
+Also, Socorro uses a `pip` wrapper called `peep`
+(https://pypi.python.org/pypi/peep) which ensures that the packages
+downloaded from the Python Package Index (PyPI) have not been tampered with.
+
+Since we can't trust peep to verify itself, we ship a version in the
+`./tools` directory of the Socorro repo.
+
 Whilst it's a given that you pin the exact version of the package you
 now depend on, that package might have its own dependencies and
 sometimes they're not pinned to specific version. For example,
@@ -59,3 +66,12 @@ installed as a nested dependency. So, do this::
 
     $ emacs requirements/prod.txt
 
+    peep install -r requirements/prod.txt
+
+    # read the output of peep, which will give you the SHA comments to paste
+    # into requirements.txt
+
+    $ emacs requirements/prod.txt
+
+    # finally, install your dependencies!
+    peep install -r requirements/prod.txt

requirements/dev.txt

@@ -1,11 +1,21 @@
 -r prod.txt
+# sha256: SYQkQdJNiNDs_DhobQIcs7G-56v8VB6fxzReRiDe6rY
 Mako==0.7.3
+# sha256: M57ATSCtnNzL_p843OYYLMUEznieXQ-WR-qnUvD5UwA
 MarkupSafe==0.15
+# sha256: EWRYQrqOyYaujPvkxsrP9cNfD0Unq_T1WBrotK1JwLY
 Paste==1.7.5.1
+# sha256: OUPcL2_NI90KlgiOJa_DWiUfP9cRRKxv0z-19C2o2R4
 coverage==3.5.2b1
+# sha256: lvpN706AIAvoJ8P1EUfdez-ohzuSB-MyXUe6Rb8ppcE
 mock==0.8.0
+# sha256: TmPMMyXedc-Y_61AvnL6aXU96CRpUXMXj3TANP5PUmA
 nose==1.3.0
+# sha256: r1v0XaSpFtsrY4z_2enWZoszAg4rjKn4ZNt5tJMxxv8
 poster==0.8.1
-sqlalchemy-citext==1.0-2
+# sha256: SolVbLVSddGvaU3E1XANi_D4NpC6wWqzA0AJL_JbtNc
 SQLAlchemy==0.7.9
+# sha256: nW39CUxAXy1TiCYko054g4on4iviXYCaHf_OH5zWTpM
 alembic==0.5.0
+# sha256: nPgCbuv2CxrIy3j0q_87DfYNM3Co2ZHCrArz4F8lRgg
+sqlalchemy-citext==1.0-2

requirements/prod.txt

@@ -1,16 +1,32 @@
+# sha256: ln_ZhEDJyABaCyhKJydsUQmN7BS2jZaAJC9L5x2ZZj0
 configman==1.1.9
+# sha256: UV_5I0YlkugyHfi0jEfjQo-NQG7iK43ne--WnRrxEXE
 configobj==4.7.2
+# sha256: oz42dZy6Gowxw8AelDtO4gRgTW_xPdooH484k7I5EOY
 hbase-thrift==0.20.4
+# sha256: YjGaw0shgNRQpNknhzyyYA88E7zmsgd83XcMd7Oph-E
 isodate==0.4.7
+# sha256: un_il03Cdt0bg-HEB9ZsetPuZDOPdT1PZXr8qWxJumw
 lxml==2.3.4
+# sha256: SLcCp8pHnhvCwae4GHWgfUdCmBMmBZk-LLl59eCCd9c
 psycopg2==2.4.5
+# sha256: nfxuPgVdYbZI6sKr2aPZPr3-EXRuNwBWk0rce2mnviU
 pyelasticsearch==0.3
+# sha256: K89b7bUyilYzBFp9RnhNM5POlAyUnAkMr111ttMWNGY
 simplejson==2.5.0
+# sha256: 1coRGB3yjavWHUKc4SBs0C2xubGAV_WiSsLowvY6nZo
 statsd==0.5.1
+# sha256: 1VJK5SO7ngnFe829HvriwofSBgNojqMfYCDtGApImvA
 suds==0.4
+# sha256: gLPAyGSc5ZC9JYcVUPZnDqvi6YpdHvXkD5K4hZfYCB0
 thrift==0.8.0
+# sha256: xF7Ftf6qulO7rmndlxwoGDLxMy1ZSc1uXKJ3R_6SJWo
 web.py==0.36
+# sha256: FWvz7Ce6nsfgz4--AoCHGAmdIY3kA-tkpxTXO6GimrE
 requests==1.2.3
+# sha256: Zm_VIvShBZ1bi0mW5Xb6eGL1BVKOEc8e9VRjEcYMPk0
 pika==0.9.8
+# sha256: jjAivJYKpdX8fUxWR4YIdpOhqZ8V4CWtkg_AqjeOHWc
 pgxnclient==1.2.1
+# sha256: wn5AqzzPN_MKn3estJFzcNk0HiWr2o6Uub1IxxJ_fUg
 raven==3.4.1