Hey, > With -citations, or in addition to it, we should have some flag
that causes the print out of the unique version information for each package used in a computation. Since computations are often done "between" version releases or with "randomly" patched releases how can we capture that information?I think getting version information from other packages is pretty worthless (how many times has SuperLU had a shadow release). However, for all the packages that we control, we can get the SHA1 very simply. So a list of SHA1s for all packages would be meaningful.
Yeah, SHA1 is fine. One problem, however, is the reverse-lookup, i.e. trying to 'find' the correct packages with given SHA1s in order to e.g. reproduce some results. If we provide all external packages out of our own download repositories, we can keep track of the SHA1s in use. With external download URLs, however, such a trace-back might be fairly hard or even impossible. Thus, we might want to consider some date information in addition to the SHA1 just to have a hint in case a SHA1 cannot be matched.
Best regards, Karli
