Why it took 4 years to get a lock files specification
13 hours ago
- #Python
- #LockFiles
- #Packaging
- A lock file records all dependencies and installation details for code, including source trees, sdists, and wheels.
- Lock files can be multi-use (portable across platforms) or single-use (specific to a platform and dependencies).
- Dependencies come from project.dependencies, project.optional-dependencies (extras), and dependency-groups in pyproject.toml.
- Dependency specifiers allow version restrictions and platform-specific conditions.
- Creating a lock file involves solving an NP-complete problem due to dependency resolution complexity.
- The author aimed for a format that is machine-writable, human-readable, secure, fast, and installer-agnostic.
- Initial efforts (PEP 665) were rejected due to lack of sdist support and build backend dependency locking.
- After PEP 665's rejection, the author worked independently, creating proof-of-concept tools like mousebender and packaging.metadata.
- The emergence of uv in 2024 complicated efforts but eventually led to consensus among key tools (uv, Poetry, PDM).
- PEP 751 was accepted in March 2025 after multiple drafts and extensive discussions, introducing pylock.toml.
- PDM, uv, and pip have started adopting pylock.toml, validating the specification's utility.
- The author reflects on the project's intensity and expresses readiness to move on from major packaging projects.