setup_venv: Use pip install --require-hashes for better security.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-10-03 04:37:50 +00:00 · 2019-10-03 04:37:50 +00:00 · 775162d687
parent 3d876aacc6
commit 775162d687
1 changed files with 2 additions and 2 deletions
--- a/scripts/lib/setup_venv.py
+++ b/scripts/lib/setup_venv.py
@ -102,8 +102,8 @@ YUM_THUMBOR_VENV_DEPENDENCIES = [
 def install_venv_deps(pip, requirements_file):
    # type: (str, str) -> None
    pip_requirements = os.path.join(ZULIP_PATH, "requirements", "pip.txt")
-    run([pip, "install", "--force-reinstall", "--requirement", pip_requirements])
-    run([pip, "install", "--no-deps", "--requirement", requirements_file])
+    run([pip, "install", "--force-reinstall", "--require-hashes", "--requirement", pip_requirements])
+    run([pip, "install", "--no-deps", "--require-hashes", "--requirement", requirements_file])

 def get_index_filename(venv_path):
    # type: (str) -> str