Currently I’m working around this with a custom install command, that hashes any file requirement arg and puts it into a requirements file before passing it onto pip here: https://github.com/PyCQA/modernize/pull/228/files#diff-256be86b218458267e29f38e19906417R72
I’m also proposing to use this work-around in tox https://github.com/tox-dev/tox/issues/1672
I think it would be neater to have a --require-hashes-only-for-remote-requirements
flag or similar