Figure out proper story for pinned dependencies

[ldionne]

Right now, we provide requirements.txt, requirements.server.txt and requirements.client.txt. We also have .[dev] and .[server] dependencies in the pyproject.toml file.

Do we need/want to pin down exact dependencies somewhere? Should we do that in a lockfile generated via pip freeze? Or should we instead get rid of requirements.txt and distribute a Docker image?

What's the canonical way for users to install a package along with a specific frozen list of its dependencies?

[ldionne]

CC @DavidSpickett @DaftanoPro

[jbcoe]

https://peps.python.org/pep-0751/ defines a lock file format for Python.

I’ve used (and have seen used) astral’s uv which has its own lock file format and extensions for pyproject.toml. uv is very fast but may not be the right choice owing to its commercial ownership. https://docs.astral.sh/uv/

[DavidSpickett]

If there were only a docker image, lack of "docker in docker" support in many places would make it a pain to use. We could copy parts of the recipe into our own but then we lose the connection back to "official" LNT.

A lockfile would be more flexible, and any docker image we make can use it also. If this file format works with many of the "standard" Python install tools then that's ideal.

A dockerfile can encode things a lockfile cannot though so if we had problems with a system library, it would be a good thing to have. As long as someone is regularly using the container to keep it up to date (llvm has a container recipe somewhere but it does not get a lot of use).