Hi all – I haven’t read the full thread here, but I did read through the PEP and don’t anticipate any issues implementing / supporting this in uv.
Well, there’s one hitch, which is that we don’t compute the hash of downloaded wheels unless the user runs with --require-hashes or similar (in which case we compare them to the hashes reported by the registry or lockfile).
So, I might selfishly prefer that hashes could be empty, and we could just populate them when the user runs with --require-hashes. But, we could consider changing our behavior – it has other benefits too, of course, to always record a hash. (We do store computed hashes in the cache, so we can always write them to a provenance file on install afterwards – that part is not a problem.)