[Distutils] strong hashing in RECORD and signed wheel files

[Daniel Holth]

One of the main design goals for the wheel built package format is
that a wheel archive extracted to sys.path is a PEP-376 compliant
installation. I also want most wheel files to be cryptographically
signed. The idea is to include a < 256 byte JSON Web Signature of
RECORD, "RECORD.jws", which will only take a couple of milliseconds to
generate, in the .dist-info directory. This is only meaningful if
RECORD has strong hashes, or the installer would have to always
rewrite RECORD on install just to include md5 sums to follow the spec.

PyPi already lets you sign whole archives with GPG, but this scheme is
more flexible because you can re-compress the .zip archive without
invalidating signatures, you could use HTTP Range (partial content)
requests to download and verify only the metadata of an archive
without having to download the whole thing (this is one reason why
.whl is a zip archive), and the whole system will be a bit more
relaxed than GPG so that bdist_wheel can just generate signing keys
automatically and an end user can decide whether to trust or
distribute a particular key later -- perhaps a particular key would be
valid per maintainer, or per distribution, or for only certain
versions of a distribution.

That's why I would like PEP 376 to understand hashes-besides-md5 in RECORD.