Create a dependency lock file

[awvwgk]

The current dependency handler creates a cache in build/cache.toml which was intended as prototype for the lock file, for fpm the cache would look like:

[fpm]
version = "0.1.3"
proj-dir = "."
[toml-f]
version = "0.2.1"
proj-dir = "build/dependencies/toml-f"
git = "https://github.com/toml-f/toml-f"
obj = "2f5eaba864ff630ba0c3791126a3f811b6e437f3"
rev = "2f5eaba864ff630ba0c3791126a3f811b6e437f3"
[M_CLI2]
version = "0.1.0"
proj-dir = "build/dependencies/M_CLI2"
git = "https://github.com/urbanjost/M_CLI2.git"
obj = "e59fb2bfcf36199f1af506f937b3849180454a0f"
rev = "e59fb2bfcf36199f1af506f937b3849180454a0f"

Note that the git object in package manifest is currently used in fpm as alternative to a lock file. The information required for the lock file should boil down to the package name, its version and the git revision, which are already present in the dependency cache.

In principle, we have everything together to promote the dependency cache to a dependency lock (fpm.lock?).

[certik]

Yes, fpm.lock like Cargo.lock.

[Carltoffel]

Will the fpm.lock go into the main directory (like with cargo) so it can be easily included in git? (for reproducible builds)

Edit: Otherwise the file would be excluded by default because of the automatically (re-)created .gitignore inside the build directory (see #525).

[awvwgk]

The cache.toml is purposely put in the build directory to avoid checking it into version control, as the format might change in the future. The final lock file will be in the project root once we decided on a suitable format.

[AtilaSaraiva]

I'd also would like that for reproducibility, but the sha256sum should also be documented in the fpm.lock.