Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Oct 15 14:38

    dismantl on baltimore

    (compare)

  • Oct 15 14:36

    dismantl on baltimore

    Only show complaint form for BPD typo Add table of court cases to off… and 7 more (compare)

  • Oct 10 02:45
    dependabot[bot] labeled #878
  • Oct 10 02:45
    dependabot[bot] labeled #878
  • Oct 10 02:45
    dependabot[bot] opened #878
  • Oct 10 02:45

    dependabot[bot] on pip

    Bump pillow from 7.2.0 to 8.3.2… (compare)

  • Oct 10 02:44

    abandoned-prototype on add-markdown-incident-description

    (compare)

  • Oct 10 02:44

    abandoned-prototype on develop

    867/add markdown incident descr… (compare)

  • Oct 10 02:44
    abandoned-prototype closed #877
  • Oct 10 02:44
    abandoned-prototype closed #867
  • Oct 06 04:54
    abandoned-prototype synchronize #851
  • Oct 06 04:54

    abandoned-prototype on s3-local

    Update Pillow (#850) A couple … normalizing dates, setting defa… fix link from image sorting to … and 16 more (compare)

  • Oct 06 04:51

    dependabot[bot] on pip

    (compare)

  • Oct 06 04:51
    dependabot[bot] commented #862
  • Oct 06 04:51
    abandoned-prototype closed #862
  • Oct 06 04:51
    abandoned-prototype commented #862
  • Oct 06 04:44
    abandoned-prototype synchronize #862
  • Oct 06 04:44

    abandoned-prototype on pip

    Adhoc/security patch (#873) * … fix image upload fix csrf on admin tags and 4 more (compare)

  • Oct 05 06:46
    abandoned-prototype review_requested #877
  • Oct 05 06:46
    abandoned-prototype synchronize #877
redshiftzero
@redshiftzero
thoughts welcome on lucyparsons/OpenOversight#565
tl;dr python dependency management is a nightmare
i do love pipenv check tho
Fritz Davenport
@fritzdavenport
++ for pushing pipenv
Jack Laxson
@jrabbit
I mean it works pretty well and you can drop to requirements files easily if you need them
I use it in production even
only had minor issues
mostly due to package devs fucking up
redshiftzero
@redshiftzero
what would the advantage be?
Jack Laxson
@jrabbit
pipenv bakes in hashes
in the lockfiles and requirements (generated by pipenv lock -r)
redshiftzero
@redshiftzero
we can do that now with pip --require-hashes
we just don't ;)
Jack Laxson
@jrabbit
it makes it plausible
instead of "not something we do"
it's ok if it's too much at once but I can work it into the dockerfile shuffle i wanted to do
redshiftzero
@redshiftzero
using pip --require-hashes is actually better than generating requirements.txt from Pipfile/Pipfile.lock for prod as it doesn't keep the hashes
Jack Laxson
@jrabbit
it does keep the hashes iirc
redshiftzero
@redshiftzero
hmm
redshiftzero @redshiftzero tests
Jack Laxson
@jrabbit
oh weird
it doesn't by default at least...
int10h
@brianmwaters
been some talk tonight about getting OO started here in burlington, VT :heart:
Jack Laxson
@jrabbit
well whats stopping us from just using it in the deploy?
it takes care of the venv for you too which is nice
redshiftzero
@redshiftzero
yeah i would be surprised if they added that: we wrote our own tool for SecureDrop to generate the requirements.txt hashes from Pipfile.lock
Fritz Davenport
@fritzdavenport
(we should have a prod docker)
oh - what architecture are yall usin in prod anyway? EC2?
Jack Laxson
@jrabbit
pipenv does do dev separation tho
which is all we're currently achieving with two requirements.txts rn
redshiftzero
@redshiftzero
(issues like the above along with incredibly annoying breakage causing the occasional need to do stuff like freedomofpress/securedrop#3853 is why i've been steering clear of adding Pipenv for fun unless it's solving a problem)
@fritzdavenport we are on digitalocean
Jack Laxson
@jrabbit
oh that's kind of a political fight between pip and pipenv teams
not really a technical problem
redshiftzero
@redshiftzero
i mean they don't test their releases against pip
that is ... bad (hopefully now they will)
(no shade on their team, maintaining software is hard)
i hope you dont autoupgrade pip on the box you have pipenv in prod :-o
Jack Laxson
@jrabbit
I mean you should pin your software!!
pipenv and pip
thats the moral :P
Fritz Davenport
@fritzdavenport
I herd not awesome things about pipenv
tbh I pip and docker in my work life
Jack Laxson
@jrabbit
is there a good way to do hash pinning then?
or is the idea to push that all onto the docker image COW
Fritz Davenport
@fritzdavenport
Hey - got a fun UX question