pip-sync doesn't checked if a remote url distribution has changed

[konstin]

When using a remote distribution with pip-sync, e.g. theano @ https://github.com/Theano/Theano/archive/master.zip, we will accept any distribution that was installed from that url instead of checking that the installed distribution matches the remote distribution.

direct_url.json has a hashes key for remote distributions we can use to implement this correctly: When downloading a distribution, record its hash (sha256 probably) in the cache and check whether it matches the entry in direct_url.json. On each run (both pip-sync and pip-compile), check if the remote distribution changed and in that case, invalid the cached hash and fetch the metadata again (pip-compile) or reinstall (pip-sync)

[zanieb]

@konstin is this still an issue?

[charliermarsh]

Yup!