validate command doesn't ensure .in and .txt are kept in sync

[pahwaranger]

The validate command ensures that changes in .in are represented in .txt but does not ensure that changes in .txt are represented in .in. This means there is no automated way to easily ensure everything is configured properly if a user who isn't familiar with pip-compile-multi directly modifies the .txt file (per typical pip convention).

I'm not entirely sure how to solve this aside from having a hash stored within the .txt file which is a has of the expected .txt file's contents. Validate could then load the contents (minus header) and ensure the header's hash matches the computed content hash.

[peterdemin]

This is by design, modifying .txt files manually is okay. If you want to validate versions in .txt files, I see three options:

1. Run pip check after installation - this will perform the same operations as pip-compile-multi during compilation.
2. Add a wrapper script (or a job in Makefile) that runs md5sum requirements/*.txt > requirements/hashes after compilations. In CI validate the checksums with md5sum -c requirements/hashes.
3. Open a PR to add a CLI flag --sha-includes-output (flag name is up for discussion) that will change the SHA1 hash computation logic to include the output strings too. In this case pip verify command should check for both options and fail only if neither hashes match the one stored. LMK if you want to go down this road and I can provide more guidance.