I don’t understand several aspects about this:
- Why mix project installation requirements with lock files? They serve different roles: reproducibility for the latter and specifying (ideally) timeless - i.e. unlocked - dependencies to build/run for the former
- Lockfiles are usually for environments, not individual projects - in particular, lockfiles of individual projects cannot be combined trivially (as mentioned above already); it’s clear that dependencies need to be specified per project, but how lock files should then be used at scale becomes very difficult (i.e. one user installing one library more than another means their environments might be completely differnt)
- The name of the PEP says “installation requirements”, but it seems mostly about locking. In particular, allowing
type="source tree"opens up a Pandora’s box of ABI concerns (and lack of reproducibility) that seem unaddressed.
I’m quite surprised that conda is not discussed as prior art here at all (not least considering the previous discussions on this topic: 1, 2) - it has successfully come up with a sufficient set of scaffolding to build the entire ecosystem in an ABI-compatible way across all platforms & arches, with or without GPUs, with package variants (e.g. OpenBLAS vs. MKL), etc. etc.
In particular, one of the crucial elements are the different kind of requirements that are distinguished in conda. It’s very different for a package to runtime-depend on numpy or to be using the C-API, where then the version used at build-time affects the version usable at runtime, etc. etc.
The following is a laudable goal:
It would then be very unfortunate to reinvent something in a way that then is incompatible with an approach that reached a much higher degree of functionality already.
I’m sure the conda(-forge) people would still be interested in this format discussion (ideally with the ability to eventually “speak the same language”), so tagging some people from the two previous threads (as well as a smattering of conda(-forge) people whose discuss-handle I found): @pzwang @teoliphant @msarahan @dhirschfeld @scopatz @jezdez @jakirkham @ocefpaf @kkraus14 @minrk