After reading some of the replies, I realized the discussion has shifted more toward the topic of application deployment.
Because of that, I’ve rewritten the original post (please have another look before continuing the discussion), starting more strongly from the use cases and clearly limiting the scope.
I’m also considering reaching out to uv and pipx about supporting lock files included within the package folder itself, not just in the dist-info directory.
(Though to clarify: while there can be multiple package folders, the standard does not forbid placing files in the dist-info folder — only subdirectories are reserved.)
What I still don’t fully understand is:
How would a completely optional standard harm the packaging ecosystem?
I genuinely don’t have your depth of experience, so I’d appreciate any concrete examples or past situations where optional features have caused harm — especially if there’s a story/example you could share. That would really help me understand your concerns better.
From my perspective (as detailed in the revised proposal), there are several strong reasons to include lock files inside wheels:
- Security & reliability: No dependency on external services during installation
- Reproducibility: As the build system includes the lock file used to pass tests tests pass, for the most pipelines it is ensured they will work.
- Simplicity: It’s easy to associate a lock file with the package it belongs to, and tools (as welll as humans) can find and use it without needing additional APIs, tokens, or infrastructure
So far, the only downsides I’ve seen mentioned are:
- The confusion between “wheels” and “applications” (which I’ve tried to address more clearly in the rewritten proposal)
- Slightly increased wheel size
If I’ve missed any additional concerns about including a lock file in the wheel, or if there are others you’d like to raise, I’d really appreciate if you could point me to them.
P.S. I’m a slow writer — the initial and revised versions of the proposal took me more than 10 hours in total — so I may only be able to follow up or respond toward the end of the week. Thanks for your patience!