From ecbe862a24548de33217153e2ac9c79530f5533a Mon Sep 17 00:00:00 2001
From: Mark Burnett <mark.m.burnett@gmail.com>
Date: Fri, 20 Oct 2017 10:54:10 -0500
Subject: [PATCH] Avoid directly installing non-frozen dependencies

Currently the Dockerfile specifies running `pip install -e ...`, which
will indirectly install dependencies from `requirements.txt`.  This is
generally safe, but should be avoided, since we are exclusively using
frozen dependencies.

Change-Id: Ie368ddb9f1229cc248c8d8804c71889c4339aa85
---
 requirements-direct.txt | 7 +++++++
 requirements.txt        | 9 ++-------
 tox.ini                 | 2 +-
 3 files changed, 10 insertions(+), 8 deletions(-)
 create mode 100644 requirements-direct.txt

diff --git a/requirements-direct.txt b/requirements-direct.txt
new file mode 100644
index 00000000..6f03da8d
--- /dev/null
+++ b/requirements-direct.txt
@@ -0,0 +1,7 @@
+click==6.7
+jinja2==2.9.6
+jsonpath-ng==1.4.3
+jsonschema==2.6.0
+pbr==3.0.1
+pyyaml==3.12
+requests==2.18.4
diff --git a/requirements.txt b/requirements.txt
index 6f03da8d..7be29c1c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,2 @@
-click==6.7
-jinja2==2.9.6
-jsonpath-ng==1.4.3
-jsonschema==2.6.0
-pbr==3.0.1
-pyyaml==3.12
-requests==2.18.4
+# Warning: This file should be empty.
+# Specify direct dependencies in requirements-direct.txt instead.
diff --git a/tox.ini b/tox.ini
index 2a9a6c91..96f85fcf 100644
--- a/tox.ini
+++ b/tox.ini
@@ -17,7 +17,7 @@ commands =
     python setup.py build_sphinx {posargs}
 
 [testenv:freeze]
-deps = -r{toxinidir}/requirements.txt
+deps = -r{toxinidir}/requirements-direct.txt
 whitelist_externals=sh
 commands=
     sh -c "pip freeze | grep -v '^promenade' > {toxinidir}/requirements-frozen.txt"