PEP 710: elaborate on storing at least one hash

Signed-off-by: Fridolin Pokorny <[email protected]>

Author: fridex

peps/pep-0710.rst

@@ -437,6 +437,17 @@ contain any entries. In such cases, pip does not create any
 is encouraged for consumers to rebuild wheels with a newer version of pip in
 these cases.
 
+uv developers `raised a concern about requiring at least one hash
+<https://discuss.python.org/t/25428/34>`__ in the ``provenance_url.json`` file
+as uv does not calculate distribution hashes unless explicitly required.
+However, requiring at least one hash aids in integrity checks for
+distributions. This is important in scenarios involving lock files or when
+identifying distributions as part of SBOMs. The ``provenance_url.json`` file
+mandates the inclusion of at least one hash for the downloaded distribution.
+Installers that do not compute hashes of distributions as part of the
+installation process (e.g., due to performance reasons) can omit creating the
+``provenance_url.json`` file.
+
 Making the hashes key optional
 ------------------------------
 
@@ -646,17 +657,19 @@ which this idea originated.
 Thanks to Donald Stufft, Ofek Lev, and Trishank Kuppusamy for early feedback
 and support to work on this PEP.
 
-Thanks to Gregory P. Smith, Stéphane Bidoul, and C.A.M. Gerlach for
-reviewing this PEP and providing valuable suggestions.
+Thanks to Gregory P. Smith, Stéphane Bidoul, C.A.M. Gerlach, and Adam Turner
+for reviewing this PEP and providing valuable suggestions.
 
-Thanks to Seth Michael Larson for providing valuable suggestions and for
+Thanks to Seth Michael Larson for support, providing valuable suggestions and for
 the proposed pip-sbom prototype.
 
 Thanks to Stéphane Bidoul and Chris Jerdonek for :pep:`610`.
 
 Thanks to Frost Ming for raising possible concern around storing index URL in
 the ``provenance_url.json`` file.
 
+Thanks to Charlie Marsh and Zanie Blue for inputs related to the uv installer.
+
 Last, but not least, thanks to Donald Stufft for sponsoring this PEP.
 
 Copyright