[Accepted](https://discuss.python.org/t/pep-751-one-last-time/77293/150)! # Discussions https://meta.discourse.org/t/how-to-export-comments-under-a-specific-post/230008/2 ## That's a good idea (119 comments) ![[lock-file-format-idea-on-Twitter.png]] - https://discuss.python.org/t/structured-exchangeable-lock-file-format-requirements-txt-2-0/876 (2019-02-19; 110 comments) - https://discuss.python.org/t/what-is-the-status-on-a-pip-lock-file/6669 (2021-01-15; 9 comments) - 2019-02 - 2019-04 - 2019-08 - 2020-04 ## PEP 665 (401 - 411 comments) - https://peps.python.org/pep-0665/ (started on 2021-01-29, first posted on 2021-07-29, [rejected](https://discuss.python.org/t/pep-665-take-2-a-file-format-to-list-python-dependencies-for-reproducibility-of-an-application/11736/141) 2022-01-11) - https://discuss.python.org/t/pep-665-specifying-installation-requirements-for-python-projects/9911 (2021-07-29; 155 comments) - https://discuss.python.org/t/pep-665-take-2-a-file-format-to-list-python-dependencies-for-reproducibility-of-an-application/11736 (2021-11-03 to 2022-01-12; 181 comments) - https://discuss.python.org/t/supporting-sdists-and-source-trees-in-pep-665/11869/ (2021-11-05; 65 comments) - https://discuss.python.org/t/a-file-format-to-list-python-dependencies-of-an-application-without-strict-reproducibility-guarantees/12218 (2021-11-27; 10 comments) - 2021-01 through 2021-02 working on the PEP - 2021-07 - 2021-08 - 2021-09 - 2021-11 - 2021-12 - 2022-01 - 2022-04 ## Still thinking (117 comments) - https://discuss.python.org/t/how-should-a-lockfile-pep-665-successor-look-like/17690 (2022-07-26; 106 comments) - https://discuss.python.org/t/what-information-is-needed-to-choose-the-right-dependency-file-for-a-platform/13447 (2022-01-31; 6 comments) - https://discuss.python.org/t/the-purpose-of-a-lock-file/38756 (2023-11-14; 5 comments) - 2022-01 - 2022-04 is PEP 685 - 2022-07 - 2022-08 - 2022-09 - 2022-10 - 2022-12 [outline what's needed in `mousebender`](https://github.com/brettcannon/mousebender/commit/68c67358d63cf68d305dc057e767df974e549a0f) - 2023-04 is [`packaging.metadata.RawMetadata` in 23.1](https://packaging.pypa.io/en/stable/changelog.html#id6) - 2023-10 is [`packaging.metadata.Metadata` in 23.2](https://packaging.pypa.io/en/stable/changelog.html#id5), [start `mousebender.resolve`](https://github.com/brettcannon/mousebender/commit/83143574f7960345e880cc087e66c56b953eef59) - 2023-11 ## PEP 751 (1124 comments) - https://peps.python.org/pep-0751/ (first posted 2024-07-24, accepted 2025-03-31) - https://discuss.python.org/t/lock-files-again-but-this-time-w-sdists/46593 (2024-02-21; 311 comments) - https://discuss.python.org/t/pep-751-lock-files-again/59173 (2024-07-25; 354 comments) - https://discuss.python.org/t/pep-751-now-with-graphs/69721 (2024-10-30; 253 comments) - [Hynek blows things up](https://discuss.python.org/t/pep-751-now-with-graphs/69721/86) (2024-11) - [Apologizes](https://discuss.python.org/t/pep-751-now-with-graphs/69721/97) - [Charlie wants to scale it back](https://discuss.python.org/t/pep-751-now-with-graphs/69721/105) (2024-11) - https://discuss.python.org/t/pep-751-one-last-time/77293 (2025-01-15; accepted at comment 150) - [Frost disappointed](https://discuss.python.org/t/pep-751-one-last-time/77293/36) - [Acceptance](https://discuss.python.org/t/pep-751-one-last-time/77293/150) - https://discuss.python.org/t/how-to-hash-a-directory-in-lockfiles/70487 (2024-11-07; 36 comments) - https://discuss.python.org/t/how-to-validate-lock-files-for-security/74391 (2024-12-15; 20 comments) https://github.com/pypa/pip/issues/11440#issuecomment-1774064882 https://github.com/astral-sh/uv/issues/7533c - 2024-02 - 2024-03 - 2024-07 - 2024-08 - 2024-09 - 2024-10 - 2024-11 - 2024-11 - 2024-12 - 2025-01 - 2025-02 - 2025-03 # References - [Direct URL data structure](https://packaging.python.org/en/latest/specifications/direct-url-data-structure/) - [Simple API](https://packaging.python.org/en/latest/specifications/simple-repository-api/) - [Attestations](https://packaging.python.org/en/latest/specifications/index-hosted-attestations/) - [Pip requirements files](https://pip.pypa.io/en/stable/reference/requirements-file-format/) # Auditing - Hash algorithm - Allowed algorithm used - Can backfill - Verify hash - Based on index - Downloaded bits - File size specified - Can backfill - Upload time specified - Dependencies listed - Can backfill - Index specified - Only wheels - Attestations - Provided (which doesn't require network access) - Recorded attestations are accurate - Can backfill - All files have attestations - Allow list of attestations for projects