From 4f79c07d8f1aeb8ef9ce3ac0b4d876754394537d Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Mon, 18 Nov 2019 14:53:37 -0800
Subject: [PATCH] Added a requirements file to update Docker pip version

---
 Makefile                                           |  4 ++++
 admin/requirements-dev.txt                         |  2 +-
 admin/requirements.txt                             |  2 +-
 securedrop/dockerfiles/xenial/python3/Dockerfile   |  1 +
 .../requirements/python3/develop-requirements.txt  |  2 +-
 .../requirements/python3/docker-requirements.in    |  2 ++
 .../requirements/python3/docker-requirements.txt   | 14 ++++++++++++++
 7 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 securedrop/requirements/python3/docker-requirements.in
 create mode 100644 securedrop/requirements/python3/docker-requirements.txt

diff --git a/Makefile b/Makefile
index 8be175cd4c3..51c3f274dda 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,10 @@ update-python3-requirements:  ## Update Python 3 requirements with pip-compile.
 	@$(DEVSHELL) pip-compile --generate-hashes \
 		--output-file requirements/python3/securedrop-app-code-requirements.txt \
 		requirements/python3/securedrop-app-code-requirements.in
+	@$(DEVSHELL) pip-compile --generate-hashes \
+		--allow-unsafe \
+		--output-file requirements/python3/docker-requirements.txt \
+		requirements/python3/docker-requirements.in
 
 .PHONY: update-pip-requirements
 update-pip-requirements: update-admin-pip-requirements update-python3-requirements ## Update all requirements with pip-compile.
diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt
index 389d4892d3a..0e090db2c86 100644
--- a/admin/requirements-dev.txt
+++ b/admin/requirements-dev.txt
@@ -170,4 +170,4 @@ wrapt==1.10.11 \
 
 # WARNING: The following packages were not pinned, but pip requires them to be
 # pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
-# setuptools==41.2.0        # via d2to1, pytest
+# setuptools==41.6.0        # via d2to1, pytest
diff --git a/admin/requirements.txt b/admin/requirements.txt
index 3b1f9ee8375..fcde41cbb41 100644
--- a/admin/requirements.txt
+++ b/admin/requirements.txt
@@ -162,4 +162,4 @@ wcwidth==0.1.7 \
 
 # WARNING: The following packages were not pinned, but pip requires them to be
 # pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
-# setuptools==41.2.0        # via ansible
+# setuptools==41.6.0        # via ansible
diff --git a/securedrop/dockerfiles/xenial/python3/Dockerfile b/securedrop/dockerfiles/xenial/python3/Dockerfile
index 6a42a7a5619..001c9588e44 100644
--- a/securedrop/dockerfiles/xenial/python3/Dockerfile
+++ b/securedrop/dockerfiles/xenial/python3/Dockerfile
@@ -49,6 +49,7 @@ RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.24.0/geckod
 
 COPY requirements requirements
 RUN python3 -m venv /opt/venvs/securedrop-app-code && \
+    /opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/docker-requirements.txt && \
     /opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/securedrop-app-code-requirements.txt && \
     /opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/test-requirements.txt
 
diff --git a/securedrop/requirements/python3/develop-requirements.txt b/securedrop/requirements/python3/develop-requirements.txt
index dad174a3ea9..49cb47bfafb 100644
--- a/securedrop/requirements/python3/develop-requirements.txt
+++ b/securedrop/requirements/python3/develop-requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile
 # To update, run:
 #
-#    pip-compile --generate-hashes --allow-unsafe --output-file=requirements/python3/develop-requirements.txt ../admin/requirements-ansible.in ../admin/requirements.in requirements/python3/develop-requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/python3/develop-requirements.txt ../admin/requirements-ansible.in ../admin/requirements.in requirements/python3/develop-requirements.in
 #
 alabaster==0.7.10 \
     --hash=sha256:2eef172f44e8d301d25aff8068fddd65f767a3f04b5f15b0f4922f113aa1c732 \
diff --git a/securedrop/requirements/python3/docker-requirements.in b/securedrop/requirements/python3/docker-requirements.in
new file mode 100644
index 00000000000..31f5021dfb0
--- /dev/null
+++ b/securedrop/requirements/python3/docker-requirements.in
@@ -0,0 +1,2 @@
+pip==19.1
+setuptools
diff --git a/securedrop/requirements/python3/docker-requirements.txt b/securedrop/requirements/python3/docker-requirements.txt
new file mode 100644
index 00000000000..00e2525d5bc
--- /dev/null
+++ b/securedrop/requirements/python3/docker-requirements.txt
@@ -0,0 +1,14 @@
+#
+# This file is autogenerated by pip-compile
+# To update, run:
+#
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/python3/docker-requirements.txt requirements/python3/docker-requirements.in
+#
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==19.1 \
+    --hash=sha256:8f59b6cf84584d7962d79fd1be7a8ec0eb198aa52ea864896551736b3614eee9 \
+    --hash=sha256:d9137cb543d8a4d73140a3282f6d777b2e786bb6abb8add3ac5b6539c82cd624
+setuptools==41.6.0 \
+    --hash=sha256:3e8e8505e563631e7cb110d9ad82d135ee866b8146d5efe06e42be07a72db20a \
+    --hash=sha256:6afa61b391dcd16cb8890ec9f66cc4015a8a31a6e1c2b4e0c464514be1a3d722