Provide option to disable hash-checking #4344
Description
I would love to provide hashes for the dependencies I use. Specifically I want to protect against remote tampering with only the code we deploy to production.
In our application we have central dependencies, our own code in vcs, some additional forked libraries in github, dependencies for testing and separate dev dependencies - a setup I assume is not particularly unique.
What I would like is to leverage the ability to reference one requirement file from another to allow anyone to simply run pip install -r X such that a developer can run pip install -r requirements-dev.txt (which would include -r requirements.txt) and our build pipeline can run pip install -r requirements.txt (and hopefully have the central dependency hashes checked).
The first problem is that I can not put our vcs urls into the requirements.txt file as require-hashes will fail with it encounters a vcs url (in spite of the fact that ssh/https already provides some protected against tampering and is ironically the only dependency code we have vetted)
Even if require-hashes would allow vcs urls, the second problem is that when using hashes I'm forced to pin and generate hashes for all developer and test dependencies which for my scenario is unnecessary because for tamper protection, I only care that code we deploy to production - after all, I am unable to vet every piece of code that is installed on a developer's machine anyway.
I can't see an elegant solution.
I'm interested in what approaches other teams take - does everyone just hand craft their own special scripts that manage a combination of pip/pip-compile/hashin from separate requirement.in files for dev, testing and production? Or does everyone just package all vcs deps into a local pypi server and reference the hash of that (but if we manage local copies of all our dependencies it somewhat negates the point of hashing in the first place)?