repositories/http: support algorithms in hashlib.algorithms_guaranteed

[vfazio]

PEP 503 says:

Repositories SHOULD choose a hash function from one of the ones guaranteed to be available via the hashlib module in the Python standard library (currently md5, sha1, sha224, sha256, sha384, sha512). The current recommendation is to use sha256.

It should make sense, then, to just check that the value returned is in hashlib.algorithms_guaranteed instead of a short subset of hashes.

Otherwise, the subset of hashes should be extended to those directly mentioned in the PEP though that list was compiled 7 years ago and does not reflect algorithms guaranteed to be present.

Pull Request Check List

Resolves:

• Added tests for changed code.
• Updated documentation for changed code.

[neersighted]

This does not resolve #6301 -- hash handling code is much more involved than this and there are no tests that actually make sure the intended fix really happens. I would suggest instead syncing with the authors of other attempts (e.g. #6490, #4740, #5326) to maybe combine efforts or see what is needed.

I have my own refactor spinning locally as well -- it's much more holistic and security-focused than a straight forward-port, but may take more time to cook.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.