I need to write a blog post explaining how lockfiles are not actually needed for reproducibility and they were just added as a workaround to retrofit reproducibility on top of existing badly-behaved systems like rubygems, but then for some reason they hired the bundler guy to make the dependency manager for rust so he copied the same design despite it being an unnecessary complication in a greenfield system
@technomancy I thought lock files were also supposed to act as TOFU for dependencies so the file contents behind a version tag cant be modified after the fact
@forestjohnson you can use them for that too I guess; I'm only talking about how you resolve dependencies
I think there are potentially useful lockfile-like constructs you can layer on top of that once you have decided what dependencies to use; they just shouldn't be used to calculate the versions used
