John Sirois

Since Pex vendors a very limited set of 3rd party libraries it uses, sticking to the stdlib is best; so text or JSON are preferred from the Pex point of...

Hrm. A quick read of the spec seems to suggest each file must have 1 sha1 checksum and then 0 or more other checksums: https://spdx.github.io/spdx-spec/v2.3/file-information/#84-file-checksum-field A lockfile only contains sha256...

Ok, the code that implements `pex3 lock export ...` is here: https://github.com/pantsbuild/pex/blob/fd9a07f3cc4e8a3f64eb2c9850f7936c67453315/pex/cli/commands/lock.py#L493-L516 That currently exports for just 1 distribution target, where a distribution target in Pex-speak is a particular local...

If, instead of exporting an entire lockfile as an SBOM, individual built-PEX files could export (or even include) an SBOM, things become alot simpler since the actual used software is...

@danxmoran yes, the default versions should ship statically tied to each Pip release Pex supports. Do you mind documenting the particular case you ran into? Is there a setuptools fix...

@danxmoran Ok. Option #18 is to just fork https://github.com/jamescasbon/PyVCF, use a VCS requirement and plop down a `pyproject.toml` of: ```toml [build-system] requires = ["setuptools

@danxmoran I'm not sure. Can you supply a backtrace for the error you hit? (You may need PEX_VERBOSE=1 to expose this depending where you hit the error) It's unclear to...

In the meantime, `--extra-pip-requirement` was added in #2461 which just about solves this. The Pip installation module just needs to special case extra_requirements whose project name is setuptools or wheel...

@hrfuller you were not able to provide more details and Pex has since grown even more ways to pick sources, now including: + `-D` / `--sources-directory`: Include everything under the...

I totally missed item 2. Although you can now `pex --no-pre-install-wheels` to get wheels stored in a PEX as is (no extra compression, no pre-installation in a chroot), you still...