In a distributed CI/CD pipeline, why is 'pip freeze' alone insufficient for a fully reproducible production build?
Python interview question for Advanced practice.
Answer
It lists versions but not cryptographic hashes, allowing for 'Package Poisoning' where an attacker replaces a file on PyPI without changing the version number.
Explanation
Reproducibility requires verifying the content, not just the name/version. Without hashes, pip will trust any file that claims to be the correct version. (A) is true but (B) is the critical security gap addressed by lock files.