One of the main design goals for the wheel built package format is that a wheel archive extracted to sys.path is a PEP-376 compliant installation. I also want most wheel files to be cryptographically signed. The idea is to include a < 256 byte JSON Web Signature of RECORD, "RECORD.jws", which will only take a couple of milliseconds to generate, in the .dist-info directory. This is only meaningful if RECORD has strong hashes, or the installer would have to always rewrite RECORD on install just to include md5 sums to follow the spec.

PyPi already lets you sign whole archives with GPG, but this scheme is more flexible because you can re-compress the .zip archive without invalidating signatures, you could use HTTP Range (partial content) requests to download and verify only the metadata of an archive without having to download the whole thing (this is one reason why .whl is a zip archive), and the whole system will be a bit more relaxed than GPG so that bdist_wheel can just generate signing keys automatically and an end user can decide whether to trust or distribute a particular key later -- perhaps a particular key would be valid per maintainer, or per distribution, or for only certain versions of a distribution.

That's why I would like PEP 376 to understand hashes-besides-md5 in RECORD.