Maybe an approach to consider is to be clear and explicit about the trade-offs in the solution. This will allow people to make decisions about what is appropriate for their purposes and to have clear expectations.
Proposal: Lockfile PEP
Lockfile design MUST:
- Record all transitive install dependency versions and hashes (sdist or bdist)
- Record all transitive build dependency versions and hashes (sdist or bdist)
- Record the install and build dependency metadata for explicitly specified target platforms (See: Resolution for TargetPython != current python evaluates markers against current python. · Issue #10050 · pypa/pip · GitHub)
- Result in byte-for-byte installation output iff install dependency versions for a target platform are all bdist and the lockfile was produced on the target platform (PEP 665)
- Warn users if installation into a target platform involves an sdist and may fail and will not be reproducible
Lockfile design MUST NOT:
- Guarantee reproducibility if there is a single sdist in the transitive closure for a target platform
- Guarantee successful or correct installation for any lockfile that includes an sdist for installation on a target platform that is not the same as the locking platform. Users should be directed to instructions to produce the lockfile on the target platform or to prepare a wheelhouse or mirror that contains wheels for the desired target platforms.
- Perform additional resolution or fetch files or hashes not already listed in the lockfile
- Guarantee that it is possible to produce a lockfile if the transitive dependency closure (build or install) includes an sdist for any requested target platform. Users should be directed to instructions to produce the lockfile on the target platform or to prepare a wheelhouse or mirror that contains wheels for the desired target platforms.