Would it make sense, for the sake of extensibility, to include these hashes in a json file that provides information about the concrete distribution that the installer used.
In the future, this could be extended with more information such as the URL that was downloaded, the index that provided the distribution, etc.
I kind of agree, I think a json format is more extendible and flexible, so I will probably change it in the following days
I currently do not plan on changing PEP 376, but thanks for your feedback!
The idea is to create HASH file in each installation, and then when we look at the environment, we can easily get the hashes. If each time we install we drop a HASH file, every installed distribution will have its hash, and so the hash of every wheel/sdist file will be present in requirements.txt. I hope I explained this in a reasonable way.
Maybe, but this discussion is a big one, and not entirely related only to this PEP draft, I would welcome ideas, but this is not my focus in this PEP