gistfile1.txt

- [ ] Rising standards of repeatability:
    - [ ] pip freeze
        - [ ] This gives you the basics, defending you against buggy or
              incompatible upstream updates.
        - [ ] Be sure to include dependencies! Install with --no-deps
              and run your test suite to make sure it works.
    - [ ] hashes
        - [ ] This defends you against package replacement (which PyPI
              doesn't allow anymore but other indexes might), indexes
              getting hacked, and MITM attacks. (HTTPS also contributes
              to MITM protection but is vulnerable to governments and
              other entities issuing fake MITM certs.)
    - [ ] wheelballs
        - [ ] This lets you install even if the index server is
              unreachable.
        - [ ] Combine it with hashes to be able to build a new
              wheelball with verifiably identical packages (perhaps
              minus a few you've decided to update).