Composing them declaratively, via -r directives in the .in files themselves, would make it easier to reason about requirements composition at the specifications themselves, rather than having to refer to the specific pip-compile invocations in the Makefile.
Description
make update-python3-requirements
composes our layers of.in
requirements imperatively, e.g.:https://github.com/freedomofpress/securedrop/blob/960c43b47a4a0a90e261d2206fe4aa9375622e25/Makefile#L32-L37
Composing them declaratively, via
-r
directives in the.in
files themselves, would make it easier to reason about requirements composition at the specifications themselves, rather than having to refer to the specificpip-compile
invocations in the Makefile.How will this impact SecureDrop users?
No user-facing changes.
How would this affect SecureDrop's threat model?
No threat-model implications.