Lockfile support?

[smheidrich]

As everyone is probably aware, other Python build backends / packaging tools like Poetry or uv almost all support some kind of automatically generated "lock file" recording exact dependency versions, in addition to the usually looser version specifications in human-written package configuration like pyproject.toml. This is meant to help make installation of application (rather than library) packages fully reproducible.

Is anything like that planned for setuptools at some point, e.g. after PEP 751 (standardized lock file format) has been accepted? Or would it not fit the project's scope?

I know it's possible to create requirements.txt files with pinned versions using pip freeze regardless of build backend, but AFAIK there is no good way to make setuptools actually use these automatically when installing a package (which is also acknowledged in the Packaging Guide's docs on them). It might be possible using certain hacks, but doesn't seem like something that's officially encouraged, not even for application packages.

I guess creation of such files would necessarily be out-of-scope since setuptools doesn't have a CLI, but maybe it would still make sense for the build backend to be able to use them during package installation, especially if they come in a standard format like the one being drafted in PEP 751.

[abravalheri]

I think this is out of the scope of setuptools isn't it?

Setuptools is only used to produce wheels. It is not a installation tool itself. People that wish to lock a set of packages in an environment can create the wheels using setuptools and then use an installer that support such file.

[smheidrich]

You're right - I actually got wrong how Poetry, uv etc. use lock files, thinking they put the locked dependency versions into the wheel metadata to be used at installation time, but of course that would make no sense because the wheel doesn't know if it's being installed in the context of an isolated application that should use these locked versions or not.

So I guess the closest equivalent of commands like poetry install, uv sync etc. that do consult lock files would be installing a setuptools-based project in editable mode, but does setuptools have any power over the details of how Pip installs something in this case? Even if it does, I'm not sure it would be very intuitive for it to use a lockfile there but not otherwise...