PEP 751: Pylock.toml
8 hours ago
- #Python
- #Packaging
- #Dependencies
- PEP 751 proposes a new file format named 'pylock.toml' for specifying Python dependencies to ensure reproducible installations.
- The format is designed to be both human-readable and machine-generated, eliminating the need for dependency resolution during installation.
- Key features include support for single-use and multi-use lock files, security defaults like mandatory hashes, and compatibility with various environments.
- The file format uses TOML and includes sections for package details, dependencies, VCS sources, directories, archives, sdists, and wheels.
- New marker expressions 'extras' and 'dependency_groups' are introduced to support multi-use lock files.
- Installation steps involve checking compatibility, evaluating markers, and installing packages from specified sources while validating hashes and sizes.
- The PEP addresses security concerns by requiring hashes and file details but does not solve all potential security issues like tampering or typosquatting.
- Backwards compatibility is not a concern as there is no preexisting standard lock file format.
- The PEP rejects ideas like recording the dependency graph for installation, specifying a new core metadata version, and requiring minimum hash algorithm support.
- Reference implementations and tools like PDM, Poetry, and uv are mentioned as semantically similar approaches.