Google Git
Sign in
gerrit / gerrit-ci-scripts / d53350c3e34353e167d90765bcd041a8ee899330^! / .
commitd53350c3e34353e167d90765bcd041a8ee899330[log] [tgz]
authorLuca Milanesio <luca.milanesio@gmail.com>Sat Feb 11 00:00:33 2023 +0000
committerLuca Milanesio <luca.milanesio@gmail.com>Tue Feb 14 20:45:18 2023 +0000
tree77586c4c97fa9c6e668668f506c145c6567c9c16
parent576907c38a7135ca08f70a2bae48a6b797af0943 [diff]
Add --require-hashes to all pip install commands

'pip install' should use --require-hashes to assert that the
dependencies that are loaded are matching expectations and
have not been forged.

Bug: Issue 16677
Change-Id: I41abdd85424f7330c4a658ffa4b32c39d8626fcc

diff --git a/README.md b/README.md
index fb4115b..4070ec7 100644
--- a/README.md
+++ b/README.md

@@ -13,7 +13,7 @@
 Yamllint can be downloaded using Python Pip:
 
 ```sh
-pip3 install yamllint
+pip3 install --require-hashes yamllint
 ```
 
 To run the linter, execute this command from the project's root directory:

diff --git a/jenkins-docker/agent-debian/Dockerfile b/jenkins-docker/agent-debian/Dockerfile
index e22b7a7..2909b23 100644
--- a/jenkins-docker/agent-debian/Dockerfile
+++ b/jenkins-docker/agent-debian/Dockerfile

@@ -34,7 +34,7 @@
     zip \
     && rm -rf /var/lib/apt/lists/*
 
-RUN pip install python-jenkins
+RUN pip install --require-hashes python-jenkins
 
 ADD https://www.kernel.org/pub/software/scm/git/git-$GIT_VER.tar.gz /tmp/
 RUN tar xvfz /tmp/git-$GIT_VER.tar.gz && \

diff --git a/jenkins-docker/agent-python3/Dockerfile b/jenkins-docker/agent-python3/Dockerfile
index 20a2087..aefbaa3 100644
--- a/jenkins-docker/agent-python3/Dockerfile
+++ b/jenkins-docker/agent-python3/Dockerfile

@@ -2,5 +2,5 @@
 
 RUN apt-get update --allow-releaseinfo-change && apt-get install -y \
     python3-pip && \
-    pip3 install yamllint pipenv && \
+    pip3 install --require-hashes yamllint pipenv && \
     rm -Rf /var/lib/apt/lists

diff --git a/jenkins-docker/server/Dockerfile b/jenkins-docker/server/Dockerfile
index 471cb1e..291899a 100644
--- a/jenkins-docker/server/Dockerfile
+++ b/jenkins-docker/server/Dockerfile

@@ -24,7 +24,7 @@
     lsb-release \
     apt-transport-https && \
     rm -rf /var/lib/apt/lists/* && \
-    pip install pbr==2.0.0 && \
+    pip install --require-hashes pbr==2.0.0 && \
     mkdir -p /etc/jenkins_jobs && chown jenkins: /etc/jenkins_jobs
 
 RUN sed -i 's#mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && \
@@ -34,7 +34,7 @@
 RUN git clone https://review.opendev.org/jjb/jenkins-job-builder && \
     cd jenkins-job-builder && \
     git checkout 979770380151f99ec7b48d7d6fbd8d8d254c752c && \
-    pip install .
+    pip install --require-hashes .
 
 COPY jenkins_jobs.ini /etc/jenkins_jobs/jenkins_jobs.ini