@@ -37,24 +37,43 @@ projects:
3737#. Specifying (at least) specific versions of dependencies for
3838 reproducible installations
3939
40- Both needs are important for various reasons. One is that without a
41- complete listing of all dependencies and the specific versions to use,
42- there can be a skew between developers of the same project, or
43- developer and user, based on what versions of a project's dependencies
44- happen to be available at the time of installation. For instance,
45- a dependency may have v1 as the newest version on Monday when one
46- developer installed the dependency, while v2 comes out on Wednesday
47- when another developer installs the same dependency. Now the two
48- developers are working against two different versions of the same
49- dependency, which can lead to different outcomes.
40+ Both needs can be important for various reasons when creating a new
41+ environment. Consider a project which
42+ is an application that is deployed somewhere (either to users as a
43+ desktop app or to a server). Without a complete listing of all
44+ dependencies and the specific versions to use, there can be a skew
45+ between developers of the same project, or developer and user, based on
46+ what versions of a project's dependencies happen to be available at the
47+ time of installation in a new environment. For instance, a dependency may
48+ have v1 as the newest version on Monday when one developer installed the
49+ dependency, while v2 comes out on Wednesday when another developer
50+ installs the same dependency. Now the two developers are working against
51+ two different versions of the same dependency, which can lead to different
52+ outcomes. This is the use-case of developing a desktop or server
53+ application where one might have a ``requirements.txt `` file which
54+ specifies exact versions of various packages.
5055
5156Another important reason for reproducible installations is for
5257security purposes. Guaranteeing that the same binary data is
53- downloaded and installed for all installations makes sure that no bad
54- actor has somehow changed a dependency's binary data in a malicious
58+ downloaded and installed for all installations of an app makes sure that no
59+ bad actor has somehow changed a dependency's binary data in a malicious
5560way. A lock file can assist in this guarantee by recording the exact
5661details of what should be installed and how to verify that those
57- dependencies have not changed any bytes unexpectedly.
62+ dependencies have not changed any bytes unexpectedly. This is the use-case
63+ of developing a secure application using a ``requirements.txt `` file which
64+ specifies the hash of all the packages that should be installed.
65+
66+ Tied into this concept of reproducibility is the speed at which an
67+ environment can be recreated. If you created a lock file as part of
68+ your local development, it can be used to speed up recreating that
69+ development environment by minimizing having to query the network or the
70+ scope of the possible resolution of dependencies. This makes recreating
71+ your local development environment faster as the amount of work required
72+ to calculate what dependencies to install has been minimized. This is the
73+ use-case of when you are working on a library or some such project where
74+ the lock file is not committed to version control and the lock file used as
75+ a local cache of installation resolution details, such as an uncommitted
76+ ``poetry.lock `` file.
5877
5978The community itself has also shown a need for lock files based on the
6079fact that multiple tools have independently created their own lock
@@ -75,9 +94,10 @@ of those communities include:
7594#. Rust _
7695
7796
78- Below, we identify various use-cases applicable to stakeholders in the
97+ Below, we identify some use-cases applicable to stakeholders in the
7998Python community and anyone who interacts with Python package
80- installers who are the ultimate consumers of a lock file.
99+ installers who are the ultimate consumers of a lock file (this is not
100+ considered exhaustive and is borrowed from PEP 650).
81101
82102
83103---------
@@ -284,6 +304,11 @@ Non-Goals
284304Because of the expected size of lock files, no effort was put into
285305making lock files *human-writable *.
286306
307+ This PEP makes no attempt to make this work in any special way for
308+ installers to use a lock file to install into a *preexisting * environment.
309+ The assumption is the installer is installing into a *new/fresh *
310+ environment.
311+
287312
288313=============
289314Specification
0 commit comments