Description
rules_python allows using a requirements.txt file with pinned down versions of dependencies. However, this is not good enough, since the actual archive downloaded can be different each time, which is really bad for Bazel's aggressive caching strategy and for cross-machine reproducibility. Plus, this it totally in spirit of Bazel. I fully realize that this feature will require explicitly listing transitive dependencies but it is totally acceptable when maximum reproducibility is required. The way I would propose to implement it would be a generator that given an input requirements.txt file outputs a list of targets to be added to the WORKSPACE file. These rules should also include sha 256 hashes of compiled wheels or other artifacts. Another important thing to remember is cross-compilation: some Python libraries (such as numpy) include native code and require to be built for a target system. The above generator should support common patterns and be extensible enough for developers to handle tricky cases. Right now, these rules download different files on Windows, so with a linux-only CI environment I experience issues when people that use Windows try to build code.
Related: #140.
Somewhat related: #154.