For handling dependencies and creating Python packages Poetry is a great choice. Poetry’s build command can generate source and wheel distributions. Wheel is a pre-built distribution format containing files and metadata, which only need to be moved to the target system, to be installed. On the other hand source (or sdist) distribution still requires a build step before it can be used.
Poetry’s design issue
There is however a problem with Poetry’s package building functionality: it does not consider the lock file while running the build command. This design flaw leads to multiple issues with the built wheel:
- No exact dependency versions are specified in the distribution for explicit dependencies if no exact requirements are used
- Implicit dependencies are fully missing from the distribution’s dependency specification
Ultimately these issues make the built wheel distribution unreliable and practically unusable in production as explicit and implicit dependencies will be installed non-deterministically.
Locked versions in distributions
The Poetry team is aware of the issue, but making this feature available in a maintainable way is not easy. Until this long-awaited feature is ready I created a plugin to solve the problem. The plugin extends the building process with reading up the lockfile and putting the locked versions into the distribution’s metadata:
Installation & usage
- The easiest way to install the lockedbuild plugin is via Poetry:
poetry self add poetry-plugin-lockedbuild
- Now the plugin provides a new command to build a wheel file with locked packages:
poetry lockedbuild
For further details check out the project:
thesnapdragon / poetry-plugin-lockedbuild
Reproducible package building for Poetry 🔒
Poetry Plugin: Locked Build
This package is a plugin that allows the building of wheel files with locked packages from poetry.lock
.
Installation
The easiest way to install the lockedbuild
plugin is via the self add
command of Poetry.
poetry self add poetry-plugin-lockedbuild
If you used pipx
to install Poetry you can add the plugin via the pipx inject
command.
pipx inject poetry poetry-plugin-lockedbuild
Otherwise, if you used pip
to install Poetry you can add the plugin packages via the pip install
command.
pip install poetry-plugin-lockedbuild
Usage
The plugin provides an lockedbuild
command to build a wheel file with locked packages.
poetry lockedbuild
Available options
-
--with
: The optional dependency groups to include when exporting.
Top comments (0)