Andrew Nesbitt takes us on a thrilling journey through the dazzling world of
#lockfiles, asking the earth-shattering question: could they be SBOMs? 🚀✨ Spoiler alert: the answer is yes, but in formats as unique as snowflakes. ❄️ Meanwhile, the rest of the world waits with bated breath for the EU to dictate our digital lives! 🇪🇺🔒
https://nesbitt.io/2025/12/23/could-lockfiles-just-be-sboms.html #SBOMs #digitaltransformation #EUregulations #cybersecurity #HackerNews #ngatedCould lockfiles just be SBOMs?
Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Could lockfiles just be SBOMs?
Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
Oh boy, another tool to generate and verify
#lockfiles for GitHub Actions, because we all know life's too short to trust those pesky mutable tags. 🔒✨ Let's spend our precious time pinning every single action to exact commit SHAs, because who doesn't love a good game of dependency whack-a-mole? 🎯🛠️
https://gh-actions-lockfile.net #GitHubActions #dependencyManagement #automation #tools #HackerNews #ngatedgh-actions-lockfile
Generate and verify lockfiles for GitHub Actions dependencies. Pin all actions to exact commit SHAs with integrity hashes.
🎉 Four years to write a lock file spec? Surely a riveting saga of
#procrastination, misunderstandings, and the inevitable battle with the "Trivial Task That Could've Been Done Yesterday" monster. 🐢🔒 Python: where nothing is ever done quickly or without
#drama. 🐍✨
https://snarky.ca/why-it-took-4-years-to-get-a-lock-files-specification/ #lockfiles #Python #softwaredevelopment #techhumor #HackerNews #ngated
Why it took 4 years to get a lock files specification
(This is the blog post version of my keynote from EuroPython 2025 in Prague, Czechia.)
We now have a lock file format specification. That might not sound like a big deal, but for me it took 4 years of active work to get us that specification. Part education, part therapy,
Why it took 4 years to get a lock files specification
(This is the blog post version of my keynote from EuroPython 2025 in Prague, Czechia.)
We now have a lock file format specification. That might not sound like a big deal, but for me it took 4 years of active work to get us that specification. Part education, part therapy,
🐍🔐 Python lockfiles are back!
Read @brettcannon's new PEP 751 – "A file format to list Python dependencies for installation reproducibility":
https://peps.python.org/pep-0751/
Discuss it:
https://discuss.python.org/t/pep-751-lock-files-again/59173
#Python #lockfiles #PEP751
PEP 751 – A file format to record Python dependencies for installation reproducibility | peps.python.org
This PEP proposes a new file format for specifying dependencies to enable reproducible installation in a Python environment. The format is designed to be human-readable and machine-generated. Installers consuming the file should be able to calculate wha...
If you don't know or perhaps kinda think you know how to use lockfiles, read this please
lsferreira.net/posts/lockfile-…The controversy and misconception around package managers lockfile in libraries
This post describes the common misconception and controversy around package managers philosophy about the abomination of lockfiles in packages, more specifically in libraries.
🔒📂 @brettcannon has just posted his new proposal to standardise lock files in Python:
"Two years since PEP 665 was rejected and three years since I started working towards some lock file solution, I present my next (and last regardless of outcome) attempt at coming up with a lock file standard."
https://discuss.python.org/t/lock-files-again-but-this-time-w-sdists/46593?u=hugovk
#Python #LockFiles #LockFile #PEP665
Lock files, again (but this time w/ sdists!)
Two years since PEP 665 was rejected and three years since I started working towards some lock file solution, I present my next (and last regardless of outcome) attempt at coming up with a lock file standard. Terms “platform”: OS plus CPU “environment”: interpreter plus platform “distribution”: in the PyPA spec sense, i.e. a project “lock entry”: a set of distribution files locked for a specific environment “lock file”: a set of lock entries for a specific set of dependency specifiers from a s...
N-gated Hacker News
Hacker News
Hugo van Kemenade
Luis Ferreira