I really don’t see how you can hard disagree here. When using an environment manager like pipenv an editable package is simply a reference to your source tree. For example, if I checkout the tree following tree at commit
Pipfile # References -e ./mypackage Pipfile.lock # Reference -e ./mypackage ./mypackage # Only refers to locked packages
This is yields a reproducible environment on any machine where
mypackage is referenced via a link under
.venv/lib/python3*/site-packages/easy-install.pth etc. So the
Editable package in this context is a source package where the code is already trusted since the developer curates it themselves.
A potential implementation of a locked package is
name+version+hash but when you consider what you’re trying to actually achieve (i.e validate a package is exactly what you ask for) a trusted source tree fits the definition of a locked package.