![]() Unfortunately, that format does not lead to inherently reproducible Today, the closest we come to a lockįile standard is the requirements file format from pip. This PEP proposes a standard for a lock file, as the current solutionsĭon’t meet the outlined goals. PEP helps alleviate that issue by only supporting wheels as a package Majority of build tools do not support reproducible builds, so this Reproducibility due to inherent code execution. Lead to a reproducible install if their build tool supports This to source distributions (aka sdists) or source trees which only Installation, wheels always lead to a reproducible result. Thanks to wheels being static and not executing code as part of Without requiring build tools to support reproducibility themselves. Reproducible installs, we can avoid certain risks entirely.įour, relying on the wheel file format provides reproducibility By using a lock file which always leads to When you control exactly whatįiles are installed, you can make sure no malicious actor isĪttempting to slip nefarious code into your application (i.e. Want to be flexible enough to allow for differences in your packageĭependencies between platforms, while still having consistencyĪnd reproducibility on any one specific platform. Systems, CPUs, etc., it is very easy and often desirable to createĪpplications that are not restricted to a single platform. Thanks to Python’s portability across operating Two, you want to be able to reproduce what gets installed across You expect to guarantee the experience is the same as you developed You also want your users to install the same files as Make sure you are all developing towards the same experience for theĪpplication. When you and your fellowĭevelopers all end up with the same files on a specific platform, you Requirements are desired over strict, reproducible installations). That would handle locking dependencies external to the PythonĪpplication, or other situations where flexible installation Worrying about package development, integration into larger systems ![]() Locking is the act of taking the input of the packages an appĭepends on and producing a lock file from that.Ī locker is a tool which produces a lock file.Īn installer consumes a lock file to install what the lock fileĪpplications want reproducible installs for a few reasons (we are not Package-lock.json from npm, Poetry.lock from Poetry, etc. Reproducibility across multiple platforms. In a later section), which enables the lock file to describe Installed on a given platform (according a filtering logic described Is specified by a lock file, but specified packages are not always Traditionally, the exact version of the package to be installed areĪ lock file records the packages that are to be installed for anĪpp. Desktop applications, command-line tools, etc. The packages on PyPI are an example of this.Īn application or app is an end product that other external codeĭoes not directly rely on via the import system (i.e. To facilitate a discussion on the topic of this PEP.Ī package is something you install as a dependency and use via the There are several terms whose definition must be agreed upon in order Reproducibility on multiple platforms from the same file. Requirements across different platforms, which allows for The file format is flexible enough to allow installing the Information beyond the platform being installed for, and the file The list of requirements is consideredĮxhaustive for the installation target, and thus not requiring any Installation requirements for an application, and the relation between This PEP specifies a file format to specify the list of Python package This PEP was rejected due to lukewarm reception from the communityįrom the lack of source distribution support.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |