Description
What's the problem this feature will solve?
when using devpi or other non- pypi.org servers the hashing falls back to downloading the asset and hashing it locally
Describe the solution you'd like
use the sha256 hash from the /simple endpoint pypi.org and devpi both provide sha256 hashes as a fragment in their href
It's optional and may not include the user' preferred hash function, so pip-compile should still fall-back on the JSON api/downloading assets:
The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #=, where is the lowercase name of the hash function (such as sha256) and is the hex encoded digest.
Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.
for example artifactory's pypi implementation only puts md5 in the fragment of their simple href https://www.jfrog.com/jira/browse/RTFACT-18495
Artifactory now supports sha256 in the simple api
Alternative Solutions
Additional context
/cc @fschulze
#1109
view-source on: https://m.devpi.net/root/pypi/+simple/devpi-server/
and view-source on: https://pypi.org/simple/devpi-server/