Note that I am really not a fan having a lock file supplied as an additional URL.
The environment I am working in (energy sector) is very tight on security. Systems are often not connected to the internet and only very limited services are allowed to be connected from customers to service operators.
So requiring to add an extra service is next impossible.
And I also don’t think of mutability of lock file resources as feature as their whole purpose is to allow for a kind of immutability to increase security.
To continue the discussion of Pre-PEP: Include pylock.toml files inside wheels here a copy from my last post:
I’m also considering reaching out to uv and pipx about supporting lock files included within the package folder itself, not just in the dist-info directory.
(Though to clarify: while there can be multiple package folders, the standard does not forbid placing files in the dist-info folder — only subdirectories are reserved.)
What I still don’t fully understand is:
How would a completely optional standard harm the packaging ecosystem?
I genuinely don’t have your depth of experience, so I’d appreciate any concrete examples or past situations where optional features have caused harm — especially if there’s a story/example you could share. That would really help me understand your concerns better.
From my perspective (as detailed in the revised proposal), there are several strong reasons to include lock files inside wheels:
- Security & reliability: No dependency on external services during installation
- Reproducibility: As the build system includes the lock file used to pass tests tests pass, for the most pipelines it is ensured they will work.
- Simplicity: It’s easy to associate a lock file with the package it belongs to, and tools (as welll as humans) can find and use it without needing additional APIs, tokens, or infrastructure
So far, the only downsides I’ve seen mentioned are:
- The confusion between “wheels” and “applications” (which I’ve tried to address more clearly in the rewritten proposal)
- Slightly increased wheel size
If I’ve missed any additional concerns about including a lock file in the wheel, or if there are others you’d like to raise, I’d really appreciate if you could point me to them.
P.S. I’m a slow writer — the initial and revised versions of the proposal took me more than 10 hours in total — so I may only be able to follow up or respond toward the end of the week. Thanks for your patience!