build: make the Docker image building reproducible by using Macaron’s pinned and hashed requirements.txt

[jenstroeger]

Summary

Following up on comment #1358 (comment), this change makes the Docker image building reproducible by using Macaron’s pinned and hashed requirements.txt.

Description of changes

Building on the Simple Index artifact (see PR #1358) this change uses that local index and Macaron’s own generated requirements.txt to install Macaron into the Docker container using only the pinned and hashed dependencies.

Related issues

Issues: n/a
Pulls: #1358

Checklist

• I have reviewed the contribution guide.
• My PR title and commits follow the Conventional Commits convention.
• My commits include the "Signed-off-by" line.
• I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
• I have updated the relevant documentation, if applicable.
• I have tested my changes and verified they work as expected.

[jenstroeger]

Oh dear, a timely discussion: What would it look like to deprecate PEP 503?

They make a good point there. PEP 503 is an HTML based simple index whereas PEP 691 is JSON based. Given the supply chain developments of the past months it probably makes sense to switch to JSON… 🤔 For more details, see Simple repository API which discusses both formats.

[behnazh-w]

Oh dear, a timely discussion: What would it look like to deprecate PEP 503?

They make a good point there. PEP 503 is an HTML based simple index whereas PEP 691 is JSON based. Given the supply chain developments of the past months it probably makes sense to switch to JSON… 🤔 For more details, see Simple repository API which discusses both formats.

Thanks for finding and sharing the PEP. Yes, agreed to use PEP 691 instead.

[jenstroeger]

Thanks for finding and sharing the PEP. Yes, agreed to use PEP 691 instead.

I’ve not played around with serving JSON instead of HTML for the simple index, so that change would probably take a couple of weeks. Do you want to do that in a separate PR (similar to PR #1358)? Do you want to continue with this PR and a PEP 503 compatible simple index for now, or wait?

[behnazh-w]

Thanks for finding and sharing the PEP. Yes, agreed to use PEP 691 instead.

I’ve not played around with serving JSON instead of HTML for the simple index, so that change would probably take a couple of weeks. Do you want to do that in a separate PR (similar to PR #1358)? Do you want to continue with this PR and a PEP 503 compatible simple index for now, or wait?

OK, in that case let's continue with this PR and switch to PEP 691 in a follow up PR.