Feature or enhancement

Proposal:

Include the SHA 256 hash of the pip wheel artifact used in ensurepip module and fail execution if the checksum doesn't match. This will serve as a protection mechanism allowing non-trusted contributors to contribute updates to artifacts and allow reviewers to quickly check in the PyPI UI whether the artifact has the correct checksum.

This feature request was spawned from this PR: #112517 which required a bit more reviewing work to be confident in the contributed artifact.

Has this already been discussed elsewhere?

I have already discussed this feature proposal on Discourse

Links to previous discussion of this feature:

Discussed in the release Discord channel.