support hash checks for url reqs with hash fragment

[qwcode]

solution for #468, with unit and functional tests.

this makes pip validate the hash if you did this:
pip install http://domain.com/pkg-1.2.tar.gz#md5=fce076628d299baa2f699ac3475a674c

the complicated part in this was the possibility of using #egg and hash fragments together. I've used #egg fragments in the past when using url tar requirements to give it a definite identity in the dependency resolution process to prevent this problem: #724

[qwcode]

the errors in this are caused by pypa/virtualenv#361

[qwcode]

@dstufft, fyi, if you want to review this, since you opened up #468 on this awhile back.

[d1b]

👍

[d1b]

/me hopes this gets merged soon.

[g2p]

It might be useful to add a flag that enforces this check. This way pip versions that are too old to compute the hash would fail the install (unrecognised flag), and a hash fragment with a syntax typo or a missing hash would also fail the install.

[msabramo]

This looks like a nice enhancement. Maybe it can be revived?

[msabramo]

Sounds sort of like @erikrose's peep. Could be a nice addition to pip.

[xavfernandez]

@qwcode now that #3231 is merged, this one seems less useful and could be closed ?

[erikrose]

Yep. It even satisfies #735 (comment).