Pin requirements
Closed this issue · 4 comments
PollBot is not a library. It's a server. It's only supposed to be deployed "once" (once per environment).
All the requirements are not pinned. For example
That means, you could get a one version of a dependency on your laptop when you're working on a feature. A different version in CI before merging into master. And an entirely different version in Prod that you never tested locally or in CI.
Also, an advantage with testing/dev with the same versions, as you deploy in Prod, is that you'll spend a little more time with the dependencies locally which gives you a chance to discover if the dependency might have been compromised.
How does not pinning dependencies make it a library and not a server?
Though it does seem prudent to pin deps and update them as necessary.
Related mozilla-services/kinto-dist#270
How does not pinning dependencies make it a library and not a server?
I wrote a long comment but realized that I patronizingly just explained how dependencies work. :)
Basically, libraries should be loose with requirements. Servers should not at all because with them it's counterproductive to get different versions of dependencies.
I moved all the requirements to requirements.txt
and added a constraints.txt
with the secondary requirements. That's what we're doing with other projects and it works good enough.
In doing this, I threw all the prod and dev requirements into one file. Is that great? No. But it simplifies a bunch of things and reduces reliability risks for a slightly larger attack surface area. We're doing this on other projects and PollBot isn't wildly interesting, so I'm going for easier-to-maintain over as-secure-as-can-be.