AP Ljungquist

Out of curiosity, does anyone know the reason why these packages were considered unsafe in the first place? I tried to track it down a while back to assure myself...

Thanks! I never considered that pip-sync may be a factor. I just sort of assumed that it was copied from pip where setuptools, and later pip and wheel, have been...

Have you looked at doing something like `pip install -c requirements.txt .`? Or better yet, `PIP_CONSTRAINT=requirements.txt pip install .`. The latter ensures that the version locks are respected during isolated...

I think I understand now. So then one could do something like `pipx install oeis[pinned]` to install the app with the dependencies it has been tested with? Interesting idea. Do...

I too would like to gather requirements from `[build-system.requires]`. I also want to gather requirements from the `deps` sections in `tox.ini`. And gather constraints from openembedded. Support for plugging in...

Not sure if the above would be a good way to do it but looks ok to me. Thoughts?

It appears another consequence of this is that hash-checking is not enabled for build system requirements, not even if `--require-hashes` is set on the primary pip command. This is particularly...

I too would like this (I actually want reproducible results, but the inconsistent results seem to go away when I set `no-clearly-defined`, so I'm guessing an offline mode would help...