get sha256 hash from /simple (PEP503) endpoint

[graingert]

What's the problem this feature will solve?

when using devpi or other non- pypi.org servers the hashing falls back to downloading the asset and hashing it locally

Describe the solution you'd like

use the sha256 hash from the /simple endpoint pypi.org and devpi both provide sha256 hashes as a fragment in their href

It's optional and may not include the user' preferred hash function, so pip-compile should still fall-back on the JSON api/downloading assets:

The URL SHOULD include a hash in the form of a URL fragment with the following syntax: #=, where is the lowercase name of the hash function (such as sha256) and is the hex encoded digest.
Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

for example artifactory's pypi implementation only puts md5 in the fragment of their simple href https://www.jfrog.com/jira/browse/RTFACT-18495
Artifactory now supports sha256 in the simple api

Alternative Solutions

devpi/devpi#801 (comment)

Additional context

/cc @fschulze
#1109
view-source on: https://m.devpi.net/root/pypi/+simple/devpi-server/
and view-source on: https://pypi.org/simple/devpi-server/

[graingert]

Another option that would be standardized across HTTP hosts
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Want-Digest

[graingert]

Artifactory now supports sha256 in the simple api