From 2147ddc995f0d57bab22edc3bbf3d8e5771b430e Mon Sep 17 00:00:00 2001 From: Brett Cannon Date: Fri, 13 Aug 2021 17:25:36 -0700 Subject: [PATCH] PEP 665: add some open issues --- pep-0665.rst | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/pep-0665.rst b/pep-0665.rst index c8d63e90c..76e79d556 100644 --- a/pep-0665.rst +++ b/pep-0665.rst @@ -937,6 +937,7 @@ would provide enough flexibility for things such as other version control systems, innovative container formats, etc. to be officially usable in a lock file. + ----------------------------------------------- Support Variable Expansion in the ``url`` field ----------------------------------------------- @@ -949,6 +950,62 @@ Environment variables could be supported to avoid hardcoding things such as user credentials for Git. +--------------------------------------------------------------- +Don't Require Lock Files Be in a ``pyproject-lock.d`` directory +--------------------------------------------------------------- + +It has been suggested that since installers may very well allow users +to specify the path to a lock file that having this PEP say that +"MUST be kept in a directory named ``pyproject-lock.d``" is pointless +as it is bound to be broken. As such, the suggestion is to change +"MUST" to "SHOULD". + + +--------------------------------------------------- +Record the Date of When the Lock File was Generated +--------------------------------------------------- + +Since the modification date is not guaranteed to match when the lock +file was generated, it has been suggested to record the date as part +of the file's metadata. The question, though, is how useful is this +information and can lockers that care put it into their ``[tool]`` +table instead of mandating it be set? + + +-------------------------- +Locking Build Dependencies +-------------------------- + +Thanks to PEP 518, source trees and sdists can specify what build +tools must be installed in order to build a wheel (or sdist in the +case of a source tree). It has been suggested that the lock file also +record such packages so to increase how reproducible an installation +can be. + +There is nothing currently in this PEP, though, that prohibits a +locker from recording build tools thanks to ``metadata.needs`` acting +as the entry point for calculating what to install. There is also a +cost in downloading all potential sdists and source trees, reading +their ``pyproject.toml`` files, and then calculating their build +dependencies for locking purposes for which not everyone will want to +pay the cost for. + + +-------------------------------------------------------------- +Recording the ``Requires-Dist`` Input to the Locker's Resolver +-------------------------------------------------------------- + +While the ``needs`` key allows for recording dependency specifiers, +this PEP does not currently require the ``needs`` key to record the +**exact** ``Requires-Dist`` metadata that was used to calculate the +lock file. It has been suggested that recording the inputs would help +in auditing the outcome of the lock file. + +If this were to be done, it would be an key named ``requested`` which +lived along side ``needs`` and would only be specified if it would +differ from what is specified in ``needs``. + + =============== Acknowledgments ===============