On Mon, 2021-12-27 at 14:38 +0100, Stefan Herbrechtsmeier via
Hi Alex,The Java OSS ecosystem has had fairly well defined build time and
runtime dependency metadata commonly available for many years now. The
more widely used build tools are capable of using this metadata to
calculate a solution Set(lib, version) that satisfies the version
requirements of the dependency graph - or report that no solution is
available. Cryptographic hashes are however by default provided by the
For Python distribution packages, the 2020 pip resolver is advertised
to be better at calculating solutions to required package
dependencies. Cryptographic hashes are specified for pip, use is
optional. The PyPA Core metadata includes some potentially useful
fields, such as the license and what the project requires.
The language specific package managers could potentially be used to
export dependency metadata, and also potentially to check "with (foo
i.j.k) and (bar x.y.z), is there a set of compatible package versions
available for baz and it's dependencies?"