I’m not saying it’s a bad solution, and I don’t think it’s something I would advocate breaking. I’m only pointing out that the situation for what an installer can and can’t assume is not necessarily fully found within the lines of the specifications.
That said, arguably yes from the perspective of either reproducibility based on artifacts on pypi or from the security argument that was made requiring dependencies to be hosted on pypi, but the solution probably shouldn’t be to break this use case, but to document it as possible (so that those reviewing dependencies understand this without needing to have deep knowledge of packaging) or relax the requirements on pypi since they aren’t enforceable reasonably anyhow so that this kind of solution stops being necessary.