Pre-PEP: Add ability to install a package with reproducible dependencies

Packaging
42

While working on lock-file related issues for prek (the uv/Rust-based pre-commit clone), I stumbled again over my original post here.
It reminded me that “installing a Python package with reproducible dependencies” appears in more places than expected.

So I looked a bit further and found that people are asking for similar — though not identical — features in many places.
They are not all asking for the same feature, but the common theme is the desire for reproducibility and an easy-to-use workflow.

As this thread stalled and drifted a bit off topic, I wanted to bring it back on track.

After rereading everything, I’m also in favour of proposed idea of distributing lock files as separate artifacts, similar in spirit to the attestation files defined in PEP 740.

I agree that this should be tested and experimented with in real tools before standardizing anything.

That said, this raises a chicken/egg problem:

  • PyPI / Warehouse understandably won’t want to implement experimental features without prior experience and clear demand.
  • Installers (e.g. uv) are unlikely to add support if there is no broadly available source of such artifacts.

uv already supports installing a lock file from a URL (PR), and there is demand for more convenient flows in this direction (even for different use cases), such as a shortcut for uv venv && uv pip install -r (request).

Putting this together, something like uv venv --requirement <pkg> that installs <pkg> using its published lock file does not feel far-fetched — if there were a standard place to publish and retrieve that lock file[1].
So far this mostly looks solvable from the client side[2].

But I’m wondering about the server side and how to experiment end-to-end, specifically:

  • Are there known pathways for introducing experimental or opt-in features in PyPI / Warehouse?
  • Or does this necessarily require a fully specified standard before any implementation can begin, meaning experimentation would need to happen in another package index (e.g. devpi) first?

Any suggestions on how to move forward?

Post was improved using LLM, See here for original.

  1. Same applies for pipx/uv tool ↩︎

  2. A side note: pex adopted an earlier “wheel as carrier” idea fairly quickly, so there might another client implementation ready fast. ↩︎

1 Like