Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Secret Recipes of the Python Ninja

You're reading from   Secret Recipes of the Python Ninja Over 70 recipes that uncover powerful programming tactics in Python

Arrow left icon
Product type Paperback
Published in May 2018
Publisher Packt
ISBN-13 9781788294874
Length 380 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Cody Jackson Cody Jackson
Author Profile Icon Cody Jackson
Cody Jackson
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Working with Python Modules FREE CHAPTER 2. Utilizing the Python Interpreter 3. Working with Decorators 4. Using Python Collections 5. Generators, Coroutines, and Parallel Processing 6. Working with Python's Math Module 7. Improving Python Performance with PyPy 8. Python Enhancement Proposals 9. Documenting with LyX 10. Other Books You May Enjoy

Utilizing requirement files and resolving conflicts

As mentioned previously, a requirements file, requirements.txt, can be created to provide a list of packages to install all at once, via pip install -r requirements.txt. The requirements file can specify specific or minimum versions, or simply specify the library name and the latest version will be installed.

It should be noted that files pulled from the requirements file aren't necessarily installed in a particular order. If you require certain packages to be installed prior to others, you will have to take measures to ensure that the installation is sequential, such as having multiple pip install calls.

Requirements files can specify version numbers of packages explicitly. For example, two different modules (m1 and m2) both depend on a third module (m3). The module m1 requires m3 to be at least version 1.5, but m2 requires it to be no later than version 2.0; the current version of m3 is 2.3. In addition, the latest version of m2 (version 1.7) is known to contain a bug.

Hash digests can be used in requirements files to verify downloaded packages to guard against a compromise of the PyPI database or the HTTPS certificate chain. This is actually a good thing, as in 2017 ten Python libraries (https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/) uploaded to PyPI were found to be hosting malicious files.

Because PyPI does not perform any security checks or code auditing when packages are uploaded, it is actually very easy to upload malicious software.

How to do it...

  1. Manually create requirements.txt by typing in the packages to include in the project. The following is an example from https://pip.pypa.io/en/latest/reference/pip_install/#requirements-file-format:

  1. Alternatively, run pip freeze > requirements.txt. This automatically directs the currently installed packages to a properly formatted requirements file.
  2. To implement hash-checking mode, simply include the digest with the package name in the requirements file, demonstrated below:
      FooProject == 1.2 --hash=sha256:<hash_digest>
Note: Supported hash algorithms include: md5, sha1, sha224, sha384, sha256, and sha512.
  1. If there are module conflicts, or special versioning is needed, provide the first module required:
      m1
  1. Indicate the second module, but ensure the version installed pre-dates the known bad version:
      m2<1.7
  1. Provide the third module, ensuring it is at least equal to the minimum version required, but no greater than the maximum version that can be used:
     m3>=1.5, <=2.0

While the preceding screenshot shows some version specifier requirements, here is an example showing some of the different ways to specify module versions in requirements.txt:

        flask
flask-pretty == 0.2.0
flask-security <= 3.0
flask-oauthlib >= 0.9.0, <= 0.9.4

How it works...

In this example, module m1 is specified as a requirement, but the version number doesn't matter; in this case, pip will install the latest version. However, because of the bug in the latest version of m2, an earlier version is specified to be installed. Finally, m3 must be a version between 1.5 and 2.0 to satisfy the installation. Naturally, if one of these conditions can't be met, the installation will fail and the offending library and version numbers will be displayed for further troubleshooting.

There's more...

It's worth noting that pip doesn't have true dependency resolution; it will simply install the first file specified. Thus, it is possible to have dependency conflicts or a sub-dependency that doesn't match the actual requirement. This is why a requirements file is useful, as it alleviates some dependency problems.

Verifying hashes also ensures that a package can't be changed without its version number changing as well, such as in an automated server deployment. This is an ideal situation for efficiency, as it eliminates the need for a private index server that maintains only approved packages.

You have been reading a chapter from
Secret Recipes of the Python Ninja
Published in: May 2018
Publisher: Packt
ISBN-13: 9781788294874
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime