Ignas Anikevicius

> That sounds like something that may be taking the bazel core developers out of context. While I haven't heard the statement, I'm guessing that the intention of their statement...

Thanks for the context, this is useful. I am still not 100% convinced that `@foo//src/bar` and `import bar` is super magical. Because if `foo` is a repo that provides a...

+1 for this getting added to rules_python. If anyone wants to take a stab at it, I can answer questions about pip machinery and help in this way.

It seems that PEP-770 has been accepted and the SBOMs are being standardized in the Python ecosystem. The following may be useful: https://packaging.python.org/en/latest/specifications/binary-distribution-format/#the-dist-info-sboms-directory

@groodt, do you plan (have time) to clean this up before 1.0?

Could you please provide the following numbers for each of the cases: * How many packages do you have? `bazel query "@pip//..." | rg :dist_info | wc -l` * How...

I have made a few improvements in #3058, if you have time, please test the `PR` if the time spent in `bazel query` is better.

I think @ouillie is correct here - we can still lock the hashes in the `MODULE.bazel.lock` file. However, that requires the following to be in place: * Fully stabilize #260...

I think implementing the second bullet point would be sufficient for that. Then you could specify `experimental_index_url = "https://pypi.org/simple"` and it might work.

The pushing is done via a simple `bazel run` invocation whereas `pip.parse` is downloading everything using `repository_ctx.download` which cannot share code. However, you can supply a `twine` binary with `keyring`...