| Wed 27 January 2016 Alexis Tabary

Since version 8.0 (released a week ago), pip can check downloaded package archives against local hashes to protect against remote tampering. To verify a package against one or more hashes, add the hashes at the end of your requirements.txt files:

FooProject==1.2 --hash:sha256=2cf24dba5fb0a30e26e83b2ac5b9e29e \
                --hash:sha256=486ea46224d1bb4fb680f34f7c9ad96a is now compatible with this feature, as you can see for instance on this project: mozilla/kuma.

A big thank to jezdez for notifying us of this new feature of pip!

Made with love: Tomotcha