Lock files on PyPI - Open Source by Brett Cannon

- Multiple lock files per release - Different names required - Served metadata - File name (or at least the unique part of the file name, if any) - [`lock-version`](https://packaging.python.org/en/latest/specifications/pylock-toml/#lock-version) - [`environments`](https://packaging.python.org/en/latest/specifications/pylock-toml/#environments) - Might be tricky for the HTML index data since it's a list - Could embed JSON - List the same file multiple times for each item in the list - Use a `li` tag per marker - [`requires-python`](https://packaging.python.org/en/latest/specifications/pylock-toml/#requires-python) - URL - Hash(es) of the file contents - Upload time One potential issue is the 🐔&🥚 problem of locking the wheel for the project where the wheels for the project have not been uploaded yet to lock against. Potential solutions are: 1. Upload the lock file(s) as a separate step of a release - One potential benefit of taking this approach is it acts like a post-release test to verify everything is working - If running the test suite one might need to either assume it matches what was installed or set up pytest in such a way that it doesn't test against the source in the checkout in the checkout 2. Have the lock files contain the details for the project based on what's about to be uploaded, but lacking any details that are only available after upload (e.g. URLs, attestations, etc.) 3. Have the lock file use some other detail like the VCS which are known ahead of time - Installers could choose to swap out the VCS for the project for the wheel of the project 4. The lock file contains everything **except** the project's own wheel files which would be available next to the lock file - Installation could take two steps: lock file + the project itself - The index server could patch the lock file to include the uploaded file details I think part of the question of which approach is preferred is whether lock files are considered part of a release or a side/separate thing that gets released. As well, are the lock files considered self-contained and so they should stand on their own?