Supporting sdists and source trees in PEP 665

Reproducible builds could be great indeed but the road to achieve that might be long and tortuous. An intermediate step could be recording the source artifact hash (or VCS commit hash) and pin build dependencies, and let the user take conscious responsibility for making sure its build conditions are safe. That would be useful for many users.

1 Like