Implement a lockfile format

[xmunoz]

pip currently uses requirements.txt to specify dependencies; it can specify versions of packages but not hashes. The newer pipfile format can include hashes, which some users prefer. But pip doesn't yet support pipfile, so many users are blocked from using hashes to better secure their Python runtimes. We have made some progress toward standardizing an interoperable lockfile format, but we need to finish that design standardization and consensus-gathering work and implement it in pip, pipenv, and related tools. We'd need Python engineering work and project management to develop and deploy this.

Related: PEP 650 -- Specifying Installer Requirements for Python Projects

[pradyunsg]

This has been picked up by volunteers, who've worked on this since Feb 2021 -- PEP 665 and https://discuss.python.org/t/11736/ is the current effort.

[di]

I think the "and implement" part still might require funding here?

[xmunoz]

Ok, I'll re-open and update the title.

[AkechiShiro]

What is left to do here ? @xmunoz @pradyunsg PEP 665 has been rejected, is there any new follow-up PEP ?
Is the design for the lockfile standardized ? Can work on the support for pip start ?

[pradyunsg]

What is left to do here ?

A follow up PEP, specifying a lock file format that also caters to source distributions (since that has been requested).

PEP 665 has been rejected, is there any new follow-up PEP ?

Not at this time, no.

Is the design for the lockfile standardized ?

Not at this time, no.

Can work on the support for pip start ?

Not at this time, no.