Generate and require hashes of dependencies

Versions of packages on Pypi can’t be overwritten. So new, malicious
source code has to be released as a new version.

However a package’s version’s distributions are not immutable.

A malicious actor could add a [built distribution](https://packaging.python.org/en/latest/glossary/#term-Built-Distribution)
for a version which previously only had a [source distribution](https://packaging.python.org/en/latest/glossary/#term-Source-Distribution-or-sdist).
pip would give preference to the built distribution.

Hashes are calculated on a per-distribution basis. Requiring that hashes
match a known good set stops that new, malicious, built distribution
getting picked up when installing a project’s requirements.

***

We have to add these as flags because:
- we use pip not uv in this repo
- in pip they are not the default