A deployed application can then be completely redeployed with the same exact versions of all recursive dependencies, by referencing the Pipfile.lock file.

AFAICT, with pipenv, you do this with pipenv install --ignore-pipfile. Is some functionality like this intended to be backported to pip as well? Can the "pip integration (eventual)" section call this out specifically?

Or perhaps I'm misunderstanding the semantics of pipenv install? My impression is that it reads only from Pipfile and only writes to Pipfile.lock. Is that correct?

From experimenting a bit, here's my understanding:

pipenv install will check if the Pipfile has changed. If it has changed, it will update Pipfile.lock to reflect the changes. If Pipfile hasn't changed, it will not touch Pipfile.lock and install exactly what's defined there.

This means that if Pipfile contains mypackage = '*', and then Pipfile.lock is created, locking to mypackage==0.0.1 - and then mypackage updates to 0.0.2, running pipenv install won't update mypackage - it will stay at the version in Pipfile.lock. Only if you actually change Pipfile to mention mypackage = '>=0.0.1', then running pipenv install will update the Pipfile.lock.

To avoid Pipfile.lock being updated even if Pipfile has been updated, you should use pipfile install --deploy. This will throw an error:

$ pipenv install --deploy
Your Pipfile.lock (490362) is out of date. Expected: (0dc2a8).
Aborting deploy.