diff --git a/README.md b/README.md
index e98ef1211156751df2ef17fe58db4c80c93a7f11..859d4e16ccbc75f9bc331c0b77a7cd4bbfe534ba 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,9 @@ A web service to manage LDAP users, groups and permissions.
 - python3-flask-oauthlib
 - git (cli utility, musst be in path)
 
+Some of the dependencies (especially fido2 and flask-oauthlib) changed their API in recent versions, so make sure to install the versions from Debian Buster.
+You can also use virtualenv with the supplied `requirements.txt`.
+
 ## development
 
 During development, you may want to enable LDAP mocking, as you otherwise need to have access to an actual LDAP server with the required schema.
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000000000000000000000000000000000000..e5d9378ef3c596fc10d4a4efae409a99ef76774a
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,37 @@
+# Versions from Debian Buster
+ldap3==2.4.1
+flask==1.0.2
+Flask-SQLAlchemy==2.1
+qrcode==6.1
+fido2==0.5.0
+Flask-OAuthlib==0.9.5
+
+# The main dependencies on their own lead to version collisions and pip is
+# not very good at resolving them, so we pin the versions from Debian Buster
+# for all dependencies.
+certifi==2018.8.24
+cffi==1.12.2
+chardet==3.0.4
+click==7.0
+cryptography==2.6.1
+idna==2.6
+itsdangerous==0.24
+Jinja2==2.10
+MarkupSafe==1.1.0
+oauthlib==2.1.0
+pyasn1==0.4.2
+pycparser==2.19
+requests==2.21.0
+requests-oauthlib==1.0.0
+six==1.12.0
+SQLAlchemy==1.2.18
+urllib3==1.24.1
+Werkzeug==0.14.1
+
+# Testing
+pytest==3.10.1
+atomicwrites==1.1.5
+attrs==18.2.0
+more-itertools==4.2.0
+pluggy==0.8.0
+py==1.7.0