Lockfiles (like .melange.lock)

[kpcyrd]

hi!

It would be cool to have lockfiles like .melange.lock that work similar to Cargo.lock.

With a configuration like this:

environment:
  contents:
    repositories:
      - https://dl-cdn.alpinelinux.org/alpine/edge/main
      - https://dl-cdn.alpinelinux.org/alpine/edge/community
    packages:
      - alpine-baselayout-data
      - busybox
      - make
      - go
      - git
      - ca-certificates-bundle

The lockfile would contain the resolved versions for make, go, git, etc and help achieve reproduce builds even if one of the packages was updated in alpine in the meantime.

The file could be generated with a command like melange update and toml would probably be a good fit since it works well in git diff and has good machine readability.

[kaniini]

I have a different plan for this, where you run a command and it generates a local repo containing the packages used. You could then use this “lock repo” for this purpose. That way there are no ambiguities with the packages.

[kaniini]

Pushing to v0.2 because the prerequisites for lock repos won't land in apko until apko v0.5.