@@ -937,6 +937,7 @@ would provide enough flexibility for things such as other version
937937control systems, innovative container formats, etc. to be officially
938938usable in a lock file.
939939
940+
940941-----------------------------------------------
941942Support Variable Expansion in the ``url `` field
942943-----------------------------------------------
@@ -949,6 +950,62 @@ Environment variables could be supported to avoid hardcoding things
949950such as user credentials for Git.
950951
951952
953+ ---------------------------------------------------------------
954+ Don't Require Lock Files Be in a ``pyproject-lock.d `` directory
955+ ---------------------------------------------------------------
956+
957+ It has been suggested that since installers may very well allow users
958+ to specify the path to a lock file that having this PEP say that
959+ "MUST be kept in a directory named ``pyproject-lock.d ``" is pointless
960+ as it is bound to be broken. As such, the suggestion is to change
961+ "MUST" to "SHOULD".
962+
963+
964+ ---------------------------------------------------
965+ Record the Date of When the Lock File was Generated
966+ ---------------------------------------------------
967+
968+ Since the modification date is not guaranteed to match when the lock
969+ file was generated, it has been suggested to record the date as part
970+ of the file's metadata. The question, though, is how useful is this
971+ information and can lockers that care put it into their ``[tool] ``
972+ table instead of mandating it be set?
973+
974+
975+ --------------------------
976+ Locking Build Dependencies
977+ --------------------------
978+
979+ Thanks to PEP 518, source trees and sdists can specify what build
980+ tools must be installed in order to build a wheel (or sdist in the
981+ case of a source tree). It has been suggested that the lock file also
982+ record such packages so to increase how reproducible an installation
983+ can be.
984+
985+ There is nothing currently in this PEP, though, that prohibits a
986+ locker from recording build tools thanks to ``metadata.needs `` acting
987+ as the entry point for calculating what to install. There is also a
988+ cost in downloading all potential sdists and source trees, reading
989+ their ``pyproject.toml `` files, and then calculating their build
990+ dependencies for locking purposes for which not everyone will want to
991+ pay the cost for.
992+
993+
994+ --------------------------------------------------------------
995+ Recording the ``Requires-Dist `` Input to the Locker's Resolver
996+ --------------------------------------------------------------
997+
998+ While the ``needs `` key allows for recording dependency specifiers,
999+ this PEP does not currently require the ``needs `` key to record the
1000+ **exact ** ``Requires-Dist `` metadata that was used to calculate the
1001+ lock file. It has been suggested that recording the inputs would help
1002+ in auditing the outcome of the lock file.
1003+
1004+ If this were to be done, it would be an key named ``requested `` which
1005+ lived along side ``needs `` and would only be specified if it would
1006+ differ from what is specified in ``needs ``.
1007+
1008+
9521009===============
9531010Acknowledgments
9541011===============
0 commit comments