pip

- 85 words - 1 minute

Prevent typo-squatting

Use pip-tools to read requirements.in and create requirements.txt with hashes [1] .

Create a virtual environment with pip-tools

python3 -m venv .env
.env/bin/pip install pip-tools==6.4.0

Create a lock file

echo 'icloudpd==1.7.2' >> requirements.in
.env/bin/pip-tools compile --generate-hashes

Use the lock file

.env/bin/pip install -r requirements.txt

Prevent dependency confusion

Disallow using Pypi when installing from a local repository.

.env/bin/pip install <my package> --index-url <url>

Do not use the --extra-index-url option.

References

  1. How to secure your Python software supply chain by Benoît Goujon, October 28th, 2021