{
    "info": {
        "author": "Peter Bengtsson",
        "author_email": "mail@peterbe.com",
        "bugtrack_url": null,
        "classifiers": [
            "Intended Audience :: Developers",
            "Intended Audience :: System Administrators",
            "License :: OSI Approved :: MIT License",
            "Programming Language :: Python :: 2.7",
            "Programming Language :: Python :: 3",
            "Topic :: Software Development :: Build Tools",
            "Topic :: System :: Installation/Setup",
            "Topic :: System :: Systems Administration"
        ],
        "description": "======\nhashin\n======\n\n.. image:: https://travis-ci.org/peterbe/hashin.svg?branch=master\n    :target: https://travis-ci.org/peterbe/hashin\n\n.. image:: https://badge.fury.io/py/hashin.svg\n    :target: https://pypi.python.org/pypi/hashin\n\nHelps you write your ``requirements.txt`` with hashes so you can\ninstall with ``pip install --require-hashes -r ...``\n\nIf you want to add a package or edit the version of one you're currently\nusing you have to do the following steps:\n\n1. Go to pypi for that package\n2. Download the ``.tgz`` file\n3. Possibly download the ``.whl`` file\n4. Run ``pip hash downloadedpackage-1.2.3.tgz``\n5. Run ``pip hash downloadedpackage-1.2.3.whl``\n6. Edit ``requirements.txt``\n\nThis script does all those things.\nHackishly wonderfully so.\n\nA Word of Warning!\n==================\n\nThe whole point of hashing is that you **vet the packages** that you use\non your laptop and that they haven't been tampered with. Then you\ncan confidently install them on a server.\n\nThis tool downloads from PyPI (over HTTPS) and runs ``pip hash``\non the downloaded files.\n\nYou should check that the packages that are downloaded\nare sane and not tampered with. The way you do that is to run\n``hashin`` as normal but with the ``--verbose`` flag. When you do that\nit will print where it downloaded the relevant files and those\nfiles are not deleted. For example::\n\n    $ hashin --verbose bgg /tmp/reqs.txt\n    https://pypi.python.org/pypi/bgg/json\n    * Latest version for 0.22.1\n    * Found URL https://pypi.python.org/packages/2.7/b/bgg/bgg-0.22.1-py2-none-any.whl\n    *   Re-using /var/folders/1x/2hf5hbs902q54g3bgby5bzt40000gn/T/bgg-0.22.1-py2-none-any.whl\n    *   Hash e5172c3fda0e8a42d1797fd1ff75245c3953d7c8574089a41a219204dbaad83d\n    * Found URL https://pypi.python.org/packages/source/b/bgg/bgg-0.22.1.tar.gz\n    *   Re-using /var/folders/1x/2hf5hbs902q54g3bgby5bzt40000gn/T/bgg-0.22.1.tar.gz\n    *   Hash aaa53aea1cecb8a6e1288d6bfe52a51408a264a97d5c865c38b34ae16c9bff88\n    * Editing /tmp/reqs.txt\n\nYou might not have time to go through the lines one by one\nbut you should be aware that the vetting process is your\nresponsibility.\n\nInstallation\n============\n\nThis is something you only do or ever need in a development\nenvironment. Ie. your laptop::\n\n    pip install hashin\n\nHow to use it\n=============\n\nSuppose you want to install ``futures``. You can either do this::\n\n    hashin futures\n\nWhich will download the latest version tarball (and wheel) and\ncalculate their pip hash and edit your ``requirements.txt`` file.\n\nOr you can be specific about exactly which version you want::\n\n    hashin \"futures==2.1.3\"\n\nYou can also specify more than one package at a time::\n\n    hashin \"futures==2.1.3\" requests\n\nSuppose you don't have a ``requirements.txt`` right there in the same\ndirectory you can specify ``--requirements-file``::\n\n    hashin futures --requirements-file=stuff/requirements/prod.txt\n\nBy default ``sha256`` hashes are used, but this can be overridden using the\n``--algorithm`` argument::\n\n    hashin futures --algorithm=sha512\n\nIf there's no output, it worked. Check how it edited your\nrequirements file.\n\nFiltering releases by Python version\n====================================\n\nSome requirements have many releases built for different versions of Python and\ndifferent architectures. These hashes aren't useful in some cases, if those\nwheels don't work with your project. ``hashin`` can filter on the Python\nversion to skip these extraneous hashes.\n\nFor example, the ``cffi`` package offers wheels built for many versions of\nCPython from 2.6 to 3.5. To select only one of them, you can use the\n``--python-version`` option::\n\n    hashin \"cffi==1.5.2\" --python-version 3.5\n\nIf you need to support multiple versions, you can pass this option multiple\ntimes::\n\n    hashin \"cffi==1.5.2\" --python-version 2.7 --python-version 3.5\n\n``hashin`` will expand these Python versions to a full list of identifers that\ncould be found on PyPI. For example, ``3.5`` will expand to match any of\n``3.5``, ``py3``, ``py3.5``, ``py2.py3``, or ``cp3.5``. You can also specify\nthese exact identifiers directly, if you need something specific.\n\nThe ``source`` release is always automatically included. ``pip`` will use\nthis as a fallback in the case a suitable wheel cannot be found.\n\nRunning tests\n=============\n\nSimply run::\n\n    python setup.py test\n\n\nDebugging\n=========\n\nTo avoid having to install ``hashin`` just to test it or debug a feature\nyou can simply just run it like this::\n\n    touch /tmp/whatever.txt\n    python hashin.py --verbose Django /tmp/whatever.txt\n\n\nHistory\n=======\n\nThis program is a \"fork\" of https://pypi.python.org/pypi/peepin\n``peepin`` was a companion to the program ``peep``\nhttps://pypi.python.org/pypi/peep/ but the functionality of ``peep``\nhas been put directly into ``pip`` as of version 8.\n\nFuture\n======\n\nIf this script proves itself to work and be useful, I hope we can\nput it directly into ``pip``.\n\nVersion History\n===============\n\n0.7.1\n  * Package matching is now case insensitive. E.g. ``hashin dJaNgO``\n\n0.7.0\n  * The requirements file and algorithm arguments are now keyword\n    arguments. Now, the second, third, nth positional argument are\n    additional arguments. Thanks @https://github.com/ahal\n\n0.6.1\n  * Support windows binaries packaged as a ``.msi`` file.\n\n0.6.0\n  * Fix compatibility issue with pip 8.1.2 and 8.1.1-2ubuntu0.1 and drop\n    support for Python 2.6\n\n0.5.0\n  * Important bug fix. As an example, if you had ``pytest-selenium==...``\n    already in your ``requirements.txt`` file and add ``selenium==x.y.z``\n    it would touch the line with ``pytest-selenium`` too.\n\n0.4.1\n  * Support for PyPI links that have a hash in the file URL.\n\n0.4.1\n  * Fix PackageError if no Python version is defined.\n\n0.4\n  * Add filtering of package releases by Python version.\n\n0.3\n  * Issue a warning for users of Python before version 2.7.9.\n\n0.2\n  * Last character a *single* newline. Not two.\n\n0.1\n  * First, hopefully, working version.\n",
        "description_content_type": null,
        "docs_url": null,
        "download_url": "",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/peterbe/hashin",
        "keywords": "pip",
        "license": "MIT",
        "maintainer": "",
        "maintainer_email": "",
        "name": "hashin-pyup",
        "package_url": "https://pypi.org/project/hashin-pyup/",
        "platform": "",
        "project_url": "https://pypi.org/project/hashin-pyup/",
        "project_urls": {
            "Homepage": "https://github.com/peterbe/hashin"
        },
        "release_url": "https://pypi.org/project/hashin-pyup/0.7.2/",
        "requires_dist": null,
        "requires_python": "",
        "summary": "Edits your requirements.txt by hashing them in",
        "version": "0.7.2"
    },
    "last_serial": 2611616,
    "releases": {
        "0.7.2": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "6be2e67db703470ccde81f044b15546e",
                    "sha256": "09910cb804a23a84ec5403dbb0280adcee58526480c4462cce340d015337a77d"
                },
                "downloads": -1,
                "filename": "hashin-pyup-0.7.2.tar.gz",
                "has_sig": false,
                "md5_digest": "6be2e67db703470ccde81f044b15546e",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 7886,
                "upload_time": "2017-02-01T14:02:41",
                "url": "https://files.pythonhosted.org/packages/ff/81/46922ea555fc60153f1bd2c5ad7a7b843044f40971cb988834c1e8952094/hashin-pyup-0.7.2.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "6be2e67db703470ccde81f044b15546e",
                "sha256": "09910cb804a23a84ec5403dbb0280adcee58526480c4462cce340d015337a77d"
            },
            "downloads": -1,
            "filename": "hashin-pyup-0.7.2.tar.gz",
            "has_sig": false,
            "md5_digest": "6be2e67db703470ccde81f044b15546e",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 7886,
            "upload_time": "2017-02-01T14:02:41",
            "url": "https://files.pythonhosted.org/packages/ff/81/46922ea555fc60153f1bd2c5ad7a7b843044f40971cb988834c1e8952094/hashin-pyup-0.7.2.tar.gz"
        }
    ]
}