I’ve misunderstood something. I thought that if I have a lock file valid for only one environment (platform, OS, Python version, etc), then any installer will be able to use it, and all installers would install all packages listed in the file. What happens when trying to use this lock file in another environment, I’m not too concerned (I suppose I would prefer the installer to fail, eg if some package’s marker-conditional requirement isn’t satisfied, or a wheel’s platform tag doesn’t match).
Also I’m ignoring sdists here (internally we build and host wheels for all of our sdists anyway).
I’ve noticed an incompatibility with our workflow: sdist URL (or path) and wheel URLs (or paths) must be specified, if specifying sdist/wheels. Our file download locations are subject to change (and in fact, the query parameters which include authentication change basically every time).
Is discovering the download location of an sdist or wheel (when provided an index URL) considered part of resolving? If so, we can’t use this lock file as we need to provide file hashes. If not, could we make URL/path optional (but mutually-exclusive)?