I actually wrote peepin several months ago but forgot to blog about it.
It's a great library that accompanies peep which is a wrapper on top of
pip. Actually, it's for
pip install. When you normally do
pip install -r requirements.txt the only check it does is on the version number, assuming your
requirements.txt has lines in it like
peep it does a checksum comparison of the wheel, tarball or zip file. It basically means that the installer will get EXACTLY the same package files as was used by the developer who decides to add it to
If you're using
pip and want strong reliability and much higher security, I strongly recommend you consider switching to
peepin is, is a executable use to modify your
requirements.txt automatically for you. It can do two things. At least one.
1) Automatically figure out what the right checksums should be.
2) It can figure out what is the latest version on PyPI.
(airmozilla):~/airmozilla (upgrade-django-bootstrap-form $)$ peepin --verbose django-bootstrap-form * Latest version for 3.2 https://pypi.python.org/pypi/django-bootstrap-form/3.2 * Found URL https://pypi.python.org/packages/source/d/django-bootstrap-form/django-bootstrap-form-3.2.tar.gz#md5=1e95b05a12362fe17e91b962c41d139e * Re-using /var/folders/1x/2hf5hbs902q54g3bgby5bzt40000gn/T/django-bootstrap-form-3.2.tar.gz * Hash AV1uiepPkO_mjIg3AvAKUDzsw82lsCCLCp6J6q_4naM * Editing requirements.txt
And once that's done...:
(airmozilla):~/airmozilla (upgrade-django-bootstrap-form *$)$ git diff diff --git a/requirements.txt b/requirements.txt index a6600f1..5f1374c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -83,8 +83,8 @@ BeautifulSoup==3.2.1 django_compressor==1.4 # sha256: F3KVsUQkAMks22fo4Y-f9ZRvtEL4WBO50IN4I3IuoI0 django-cronjobs==0.2.3 -# sha256: 2G3HpwzvCTy3dc1YE7H4XQH6ZN8M3gWpkVFR28OOsNE -django-bootstrap-form==3.1 +# sha256: AV1uiepPkO_mjIg3AvAKUDzsw82lsCCLCp6J6q_4naM +django-bootstrap-form==3.2 # sha256: jiOPwzhIDdvXgwiOhFgqN6dfB8mSdTNzMsmjmbIBkfI regex==2014.12.24 # sha256: ZY2auoUzi-jB0VMsn7WAezgdxxZuRp_w9i_KpCQNnrg
If you want to you can open up and inspect the downloaded package and check that no hacker has meddled with the package. Or, if you don't have time to do that, at least use the package locally and run your tests etc. If you now feel comfortable with the installed package you can be 100% certain that will be installed on your server once the code goes into production.