That’s probably fine from the security perspective, but the hash won’t make the package re-appear if it disappears out of nowhere. That’s the other benefit of a private/on-premesis mirror.
True. I work with PyPI and it's been extremely solid for years, so we tend to just not consider this a problem at all. Pipenv stores hashes for each package version as well, so you get the security aspect built in.
Pipenv has pretty much fixed Python packaging/dependencies, in my opinion. It's the all-in-one tool I've always wanted. If you do any Python work, try it, it's great.
