packages.json: support (require?) SHA in addition to version

[matthewleon]

Requiring a hash in addition to the version tag would be a cheap additional layer of security. As it stands, a package author could maliciously amend a tag in their git repo, no?

[paf31]

Sounds like a good idea.

[matthewleon]

Adding this here as a related consideration: https://theupdateframework.github.io/

Since hackage implements this, it might not be too hard to steal code from them at some future point. https://github.com/haskell/hackage-security

This might not be applicable given that psc-package works in a fundamentally different way from Hackage, but at least there might be some ideas to take inspiration from.

[Pauan]

See also https://github.com/purescript/package-sets/issues/32

[matthewleon]

@Pauan thanks. Good to see I'm not the only one with this concern. I will do some reading and have a think.