Fridolín Pokorný

> the downloaded prototxt was an html file and so incurs a parser complaint. You can click on the "Raw" button to get raw file (without GitHub's html): https://raw.githubusercontent.com/BVLC/caffe/master/models/bvlc_alexnet/deploy.prototxt

+1, it would be great to add support for Pipenv files (Pipenv is now under Python Packaging Association). micropipenv (a lightweight wrapper for pip to support also Pipenv files) can...

Looking into sources, it looks like a major module rewrite as many parts are shared with micropipenv.

+1 for adding it. We use it in 100+ projects. It has bugs but it does its job.

Checking the archive, it looks like `poetry.lock` diverged from `pyproject.toml`: ``` $ cat poetry.lock ... content-hash = "ea90ae66786c34d6f7d365b95b456cb0c18f9683c76f6833f195076935b4dae5" $ sha256sum pyproject.toml 5e71bfc9e57d479a600b9af18f7cefa33470114bebd2e1889371bed5eb192483 pyproject.toml ``` Would it make sense to check...

> > Would it make sense to check hashes of `poetry.lock` and `Pipfile.lock` files and eventually warn users if they do not match the expected value? > > This sounds...

> @fridex Please keep in mind that I have redacted the pyproject.toml to keep out the private parts. Could it be the reason for the sha divergence? Yes, it can...

> Where micropipenv could be useful, IMO, is to install resolved python stack regardless of the package manager used (poetry, pdm, pipenv, other). If I understand the tool correctly, micropipenv...

> ... are not yet there because there isn't a standard. Yes, it will most probably take some time to have a standardized lockfile in Python. In the meantime, micropipenv...

See also https://github.com/theupdateframework/python-tuf/pull/2234#issuecomment-1365761814