From 5bc918c6d229e527667772fb38056f1c1c0405b6 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Mon, 18 Nov 2019 14:53:37 -0800
Subject: [PATCH 1/2] Added a requirements file to update Docker pip version

---
 Makefile                                           |  4 ++++
 admin/requirements-dev.txt                         |  2 +-
 admin/requirements.txt                             |  2 +-
 securedrop/dockerfiles/xenial/python3/Dockerfile   |  1 +
 .../requirements/python3/docker-requirements.in    |  2 ++
 .../requirements/python3/docker-requirements.txt   | 14 ++++++++++++++
 6 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 securedrop/requirements/python3/docker-requirements.in
 create mode 100644 securedrop/requirements/python3/docker-requirements.txt

diff --git a/Makefile b/Makefile
index 8be175cd4c..51c3f274dd 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,10 @@ update-python3-requirements:  ## Update Python 3 requirements with pip-compile.
 	@$(DEVSHELL) pip-compile --generate-hashes \
 		--output-file requirements/python3/securedrop-app-code-requirements.txt \
 		requirements/python3/securedrop-app-code-requirements.in
+	@$(DEVSHELL) pip-compile --generate-hashes \
+		--allow-unsafe \
+		--output-file requirements/python3/docker-requirements.txt \
+		requirements/python3/docker-requirements.in
 
 .PHONY: update-pip-requirements
 update-pip-requirements: update-admin-pip-requirements update-python3-requirements ## Update all requirements with pip-compile.
diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt
index 389d4892d3..0e090db2c8 100644
--- a/admin/requirements-dev.txt
+++ b/admin/requirements-dev.txt
@@ -170,4 +170,4 @@ wrapt==1.10.11 \
 
 # WARNING: The following packages were not pinned, but pip requires them to be
 # pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
-# setuptools==41.2.0        # via d2to1, pytest
+# setuptools==41.6.0        # via d2to1, pytest
diff --git a/admin/requirements.txt b/admin/requirements.txt
index 3b1f9ee837..fcde41cbb4 100644
--- a/admin/requirements.txt
+++ b/admin/requirements.txt
@@ -162,4 +162,4 @@ wcwidth==0.1.7 \
 
 # WARNING: The following packages were not pinned, but pip requires them to be
 # pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
-# setuptools==41.2.0        # via ansible
+# setuptools==41.6.0        # via ansible
diff --git a/securedrop/dockerfiles/xenial/python3/Dockerfile b/securedrop/dockerfiles/xenial/python3/Dockerfile
index 6a42a7a561..001c9588e4 100644
--- a/securedrop/dockerfiles/xenial/python3/Dockerfile
+++ b/securedrop/dockerfiles/xenial/python3/Dockerfile
@@ -49,6 +49,7 @@ RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.24.0/geckod
 
 COPY requirements requirements
 RUN python3 -m venv /opt/venvs/securedrop-app-code && \
+    /opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/docker-requirements.txt && \
     /opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/securedrop-app-code-requirements.txt && \
     /opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/test-requirements.txt
 
diff --git a/securedrop/requirements/python3/docker-requirements.in b/securedrop/requirements/python3/docker-requirements.in
new file mode 100644
index 0000000000..31f5021dfb
--- /dev/null
+++ b/securedrop/requirements/python3/docker-requirements.in
@@ -0,0 +1,2 @@
+pip==19.1
+setuptools
diff --git a/securedrop/requirements/python3/docker-requirements.txt b/securedrop/requirements/python3/docker-requirements.txt
new file mode 100644
index 0000000000..00e2525d5b
--- /dev/null
+++ b/securedrop/requirements/python3/docker-requirements.txt
@@ -0,0 +1,14 @@
+#
+# This file is autogenerated by pip-compile
+# To update, run:
+#
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/python3/docker-requirements.txt requirements/python3/docker-requirements.in
+#
+
+# The following packages are considered to be unsafe in a requirements file:
+pip==19.1 \
+    --hash=sha256:8f59b6cf84584d7962d79fd1be7a8ec0eb198aa52ea864896551736b3614eee9 \
+    --hash=sha256:d9137cb543d8a4d73140a3282f6d777b2e786bb6abb8add3ac5b6539c82cd624
+setuptools==41.6.0 \
+    --hash=sha256:3e8e8505e563631e7cb110d9ad82d135ee866b8146d5efe06e42be07a72db20a \
+    --hash=sha256:6afa61b391dcd16cb8890ec9f66cc4015a8a31a6e1c2b4e0c464514be1a3d722

From c1dd8c8d132d99020dc51026035208482016051d Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Fri, 22 Nov 2019 08:59:57 -0800
Subject: [PATCH 2/2] added wheel to docker image's python packages

---
 securedrop/requirements/python3/docker-requirements.in  | 1 +
 securedrop/requirements/python3/docker-requirements.txt | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/securedrop/requirements/python3/docker-requirements.in b/securedrop/requirements/python3/docker-requirements.in
index 31f5021dfb..a9774f547c 100644
--- a/securedrop/requirements/python3/docker-requirements.in
+++ b/securedrop/requirements/python3/docker-requirements.in
@@ -1,2 +1,3 @@
 pip==19.1
 setuptools
+wheel
diff --git a/securedrop/requirements/python3/docker-requirements.txt b/securedrop/requirements/python3/docker-requirements.txt
index 00e2525d5b..034c1ca78f 100644
--- a/securedrop/requirements/python3/docker-requirements.txt
+++ b/securedrop/requirements/python3/docker-requirements.txt
@@ -4,6 +4,9 @@
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements/python3/docker-requirements.txt requirements/python3/docker-requirements.in
 #
+wheel==0.33.6 \
+    --hash=sha256:10c9da68765315ed98850f8e048347c3eb06dd81822dc2ab1d4fde9dc9702646 \
+    --hash=sha256:f4da1763d3becf2e2cd92a14a7c920f0f00eca30fdde9ea992c836685b9faf28
 
 # The following packages are considered to be unsafe in a requirements file:
 pip==19.1 \