Yes, it would. But it could always do that as well, by simply recording a list of hashes that were used; it just needs to be done per platform.
To summarize what I would like to see in a lock file:
- For each artifact:
– url(s) so it is possible to fetch
– name of artifact (basename of url). That allows us to identify the type of artifact, and to provide the artifact when not able to fetch
– hash - list with hashes, that were actually used when generating the lock file, so it is possible to achieve reproducibility.
Now, there is still the issue of platform. The list of hashes that were used are those for a specific platform (and Python version but because we’re considering applications and not development environments we lock that and thus that is not relevant). What now, if we want to support multiple platforms? We could have a list per platform, and lock it per platform. That means multiple runs and the risk of unnecessarily getting different versions of dependencies across platforms due to a change of state. This is a big issue that’s been blocking us also from further automating our package set creation in Nixpkgs.