This means we have to maintain this file. However we want packagers to be able to reproduce builds from tags etc, so we need to provide the lock file I think.
