Audit handling of hashes in the lockfile

[konstin]

Audit our handling of hashes. Some hashes are generated. Some are retrieved from registries. Sometimes hashes should not be used (path dependencies) where as sometimes they should (registry dependencies).

I think there are three main issues here:

First is that hashes come from two places: one place is the registry itself. Another place is by hashes we compute ourselves. Which hashes do we use in the lock file? Does it matter? Which should we use?

Second is that we often have multiple hashes available for any given artifact. Do we need to store all of them in the lock file? Or can we just pick the "best" one?

Third is whether we are doing any hash checking. I don't think we are today. But we probably should be.

[charliermarsh]

I can answer all of these questions (regarding what we do today) if helpful.

[konstin]

Do you expect that we have to change the lockfile (schema) for this?

[charliermarsh]

I think we need to make hashes optional for registry-based distributions. I can't remember if it's optional today.

[BurntSushi]

If we make them optional in the lock file, then we won't be able to do hash checking. Are we okay with that?

[charliermarsh]

We can still hash-check the distributions for which we do have hashes.

[charliermarsh]

First is that hashes come from two places: one place is the registry itself. Another place is by hashes we compute ourselves. Which hashes do we use in the lock file? Does it matter? Which should we use?

I think we should follow the strategy we already use today: if from the registry, we use the registry-provided hashes; if from a direct URL, we compute the hash ourselves. If the registry lacks hashes, we don't include any hashes (and warn the user).

Second is that we often have multiple hashes available for any given artifact. Do we need to store all of them in the lock file? Or can we just pick the "best" one?

I think we should just store the "best" one to save space. I'll verify that we're doing this today.

Third is whether we are doing any hash checking. I don't think we are today. But we probably should be.

We aren't. I think we should add "verify any hashes that exist, but don't require them" (so that we can still interoperate with registries that lack hashes).